How to setup Master -> Satellite -> Icinga2 Agent certificates the right way


(Marco) #1

Dear Support/Forum,
we changed over from Standalone NSClient to NSClient via Icinga2 Agent connection.
The current situation is:
Master in Hamburg “OnShore”. Satellites on the Ships “OffShore” and Clients with Icinga2Agent.
We have a working config to check some OnShore Agent direct from master. We do the same Setup with certificates on the satellites to check the agents from the satellites, but satellite did not accept the client certificate because it is self signed and we can the the request in master and satellite. I sign the requests on both systems but same issue.

How we have to setup the certificates?

(Reto Zeder) #2


Did you check the docs about the possibilities you have for certificate signing? The whole chapter about distributed monitoring is pretty well and in detail written -> Distributed Monitoring

Generally, you just need one CA which does all the certificate signing, normally located on the icinga2 master itself. So you got the csr-autosign which needs a generated ticket from your master or you got the on-demand csr-autosign which proxies the requests from your agents through the satellite to the master host. Your satellites are not able to sign the certificates for your clients by default only if you’d stretch the CA from your master to your satellites.

nice drawing btw. :slight_smile:

(Marco) #3

Yes I have read it. But certificates are one of my weak points. I read it again and your note with the master helps me.

Regards Marco.

(Thomas Widhalm) #4

Hi, generally speaking, if you’re working without the pregenerated tickets, you can just use a satellite like you would use a master. The agent’s shouldn’t have any information at all about the master and use the satellite instead.

Just connect the agent to the master and sign the certificate request on the master.

If it doesn’t work, please copy&paste some logentries about the connection.

(Marco) #5

Hi Thomas,
Success! I have found my mistake.

In the whole try’s with the CA’s i had typed points instead of dashes twice. At the end everything was configured correctly, but the entry in the Zone.conf on the Icinga Agent and the hostname in the director was faulty .Finally, i didn’t noticed that in the log.
I will install the agent on another machine an check if it working when i enter everything right.

Thanks for the effort … the problem was between the ears.

Best regards Marco.

(Thomas Widhalm) #6

That’s great to hear! Could you just tick the “Solution” checkbox on one of the posts? So other users see that you don’t need any more help.