I’ve installed Icinga2 and am using Ansible to deploy client nodes.
I’m using a single master with no satellites.
I have two agents - “sonarqube” and “graphite”. My sonarqube node is working correctly and is added to my Icinga2 master correctly.
The graphite node is failing certificate verification. The log line looks like this:
[2019-08-22 11:24:56 +0000] information/ApiListener: New client connection for identity 'graphite.mydomain.com' from [ip4 address]:35318 (certificate validation failed: code 18: self signed certificate) [2019-08-22 11:39:47 +0000] warning/ApiListener: No data received on new API connection for identity 'graphite.mydomain.com'. Ensure that the remote endpoints are properly configured in a cluster setup.
On the agent I get an error like this:
critical/cli: Could not fetch valid response. Please check the master log.
The commands that Ansible produces look like this:
icinga2 pki new-cert --cn graphite.mydomain.com --key /etc/icinga2/pki/graphite.mydomain.com.key --cert /etc/icinga2/pki/graphite.mydomain.com.crt icinga2 pki save-cert --key /etc/icinga2/pki/graphite.mydomain.com.key --cert /etc/icinga2/pki/graphite.mydomain.com.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --host mymasterip4 icinga2 pki request --host mymasterip4 --port 5665 --ticket validtickethash --key /etc/icinga2/pki/graphite.mydomain.com.key --cert /etc/icinga2/pki/graphite.mydomain.com.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --ca /etc/icinga2/pki/ca.key
On the failing (graphite) node there is no CA certificate at /var/lib/icinga2/certs
If I run
openssl x509 -in graphite.mydomain.com -text then I can see it is self-signed.
How do I obtain the CA cert and get the agent node to use it when generating the certificate?
It appears that JsonRpcConnection is not running when I try to get the certificate from the server?
I found a way to work around this manually, but this isn’t going to work for automated deployments.
- Change the master to connect to the agent machine (and stop agent from connecting to master)
- Wait for the
ca listto get populated and manually sign the certificate
- Revert the change you made in step 1 and try running the key generation again (it works)