No, it is NOT the allowed_hosts.
You already checked it 5 times. It is NOT the acl.
Some of the log:
[root@hackbox plugins]# time ./check_nrpe -H 127.0.0.1 12:00:01.138458 IP 127.0.0.1.42830 > 127.0.0.1.5666: Flags [S], seq 288814041, win 43690, options [mss 65495,sackOK,TS val 864077668 ecr 0,nop,wscale 10], length 0 13:48:47.032618 IP 127.0.0.1.5666 > 127.0.0.1.42830: Flags [S.], seq 2522330068, ack 288814042, win 43690, options [mss 65495,sackOK,TS val 864077668 ecr 864077668,nop,wscale 10], length 0 12:00:01.138489 IP 127.0.0.1.42830 > 127.0.0.1.5666: Flags [.], ack 1, win 43, options [nop,nop,TS val 864077668 ecr 864077668], length 0 12:00:01.138929 IP 127.0.0.1.42830 > 127.0.0.1.5666: Flags [P.], seq 1:126, ack 1, win 43, options [nop,nop,TS val 864077668 ecr 864077668], length 125 12:00:01.138939 IP 127.0.0.1.5666 > 127.0.0.1.42830: Flags [.], ack 126, win 43, options [nop,nop,TS val 864077668 ecr 864077668], length 0 Dec 16 12:00:01 hackbox nrpe[27388]: refused connect from 127.0.0.1 (127.0.0.1) 12:00:06.140011 IP 127.0.0.1.5666 > 127.0.0.1.42830: Flags [R.], seq 1, ack 126, win 43, options [nop,nop,TS val 0 ecr 864077668], length 0 CHECK_NRPE: Error - Could not complete SSL handshake. real 0m5.014s user 0m0.005s sys 0m0.008s Dec 16 12:00:57 hackbox nrpe[27623]: refused connect from 127.0.0.1 (127.0.0.1)
What fixed it? Editing the /etc/hosts.allowed and /etc/hosts.deny .