Icinga2 on Ansible - second client node is failing certificate verification

(Andrew Beak) #1


I’ve installed Icinga2 and am using Ansible to deploy client nodes.

I’m using a single master with no satellites.

I have two agents - “sonarqube” and “graphite”. My sonarqube node is working correctly and is added to my Icinga2 master correctly.

The graphite node is failing certificate verification. The log line looks like this:

[2019-08-22 11:24:56 +0000] information/ApiListener: New client connection for identity 'graphite.mydomain.com' from [ip4 address]:35318 (certificate validation failed: code 18: self signed certificate)
[2019-08-22 11:39:47 +0000] warning/ApiListener: No data received on new API connection for identity 'graphite.mydomain.com'. Ensure that the remote endpoints are properly configured in a cluster setup.

On the agent I get an error like this:

critical/cli: Could not fetch valid response. Please check the master log.

The commands that Ansible produces look like this:

icinga2 pki new-cert --cn graphite.mydomain.com --key /etc/icinga2/pki/graphite.mydomain.com.key --cert /etc/icinga2/pki/graphite.mydomain.com.crt
icinga2 pki save-cert --key /etc/icinga2/pki/graphite.mydomain.com.key --cert /etc/icinga2/pki/graphite.mydomain.com.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --host mymasterip4
icinga2 pki request --host mymasterip4 --port 5665 --ticket validtickethash --key /etc/icinga2/pki/graphite.mydomain.com.key --cert /etc/icinga2/pki/graphite.mydomain.com.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --ca /etc/icinga2/pki/ca.key

On the failing (graphite) node there is no CA certificate at /var/lib/icinga2/certs

If I run openssl x509 -in graphite.mydomain.com -text then I can see it is self-signed.

How do I obtain the CA cert and get the agent node to use it when generating the certificate?

It appears that JsonRpcConnection is not running when I try to get the certificate from the server?

I found a way to work around this manually, but this isn’t going to work for automated deployments.

  • Change the master to connect to the agent machine (and stop agent from connecting to master)
  • Wait for the ca list to get populated and manually sign the certificate
  • Revert the change you made in step 1 and try running the key generation again (it works)