certificate signing issue from master

This forum was archived to /woltlab and is now in read-only mode.
  • Hi All,


    While adding a node to monitoring and running the wizard i am getting certificate issue.


    information/cli: Verifying ticket 'cca3d0c7eed7befac040d34e261b0a84e25d4423'.
    information/cli: Verifying master host connection information: host 'icingamaster-infra-prd-sg1-01.sd.int', port '5665'.
    information/cli: Verifying trusted certificate file '/etc/icinga2/pki/trusted-master.crt'.
    information/cli: Using the following CN (defaults to FQDN): 'dataplatform-zookeeper-prd-sg1-06.sd.int'.
    information/cli: Created backup file '/etc/icinga2/pki/dataplatform-zookeeper-prd-sg1-06.sd.int.key.orig'.
    information/cli: Created backup file '/etc/icinga2/pki/dataplatform-zookeeper-prd-sg1-06.sd.int.crt.orig'.
    information/base: Writing private key to '/etc/icinga2/pki/dataplatform-zookeeper-prd-sg1-06.sd.int.key'.
    information/base: Writing X509 certificate to '/etc/icinga2/pki/dataplatform-zookeeper-prd-sg1-06.sd.int.crt'.
    information/cli: Requesting a signed certificate from the master.
    critical/cli: Could not fetch valid response. Please check the master log (notice or debug).
    critical/cli: Failed to request certificate from Icinga 2 master.




    Icinga master logs


    [2016-07-15 19:07:14 +0530] information/ApiListener: New client connection for identity 'dataplatform-zookeeper-prd-sg1-06.sd.int' (client certificate not signed by CA)
    [2016-07-15 19:07:14 +0530] warning/JsonRpcConnection: Error while processing message for identity 'dataplatform-zookeeper-prd-sg1-06.sd.int'
    Error: Could not read serial file.



    (0) libbase.so: void boost::throw_exception<boost::exception_detail::error_info_injector<std::runtime_error> >(boost::exception_detail::error_info_injector<std::runtime_error> const&) (+0x4f) [0x32f57391af]
    (1) libbase.so: void boost::exception_detail::throw_exception_<std::runtime_error>(std::runtime_error const&, char const*, char const*, int) (+0x59) [0x32f5739239]
    (2) libbase.so: icinga::CreateCert(evp_pkey_st*, X509_name_st*, X509_name_st*, evp_pkey_st*, bool, icinga::String const&) (+0x6af) [0x32f56dcfdf]
    (3) libbase.so: icinga::CreateCertIcingaCA(evp_pkey_st*, X509_name_st*) (+0x112) [0x32f56f67f2]
    (4) /usr/lib64/icinga2/libremote.so() [0x32f3ecae56]
    (5) libremote.so: boost::detail::function::function_invoker2<icinga::Value (*)(boost::intrusive_ptr<icinga::MessageOrigin> const&, boost::intrusive_ptr<icinga::Dictionary> const&), icinga::Value, boost::intrusive_ptr<icinga::MessageOrigin> const&, boost::intrusive_ptr<icinga::Dictionary> const&>::invoke(boost::detail::function::function_buffer&, boost::intrusive_ptr<icinga::MessageOrigin> const&, boost::intrusive_ptr<icinga::Dictionary> const&) (+0xf) [0x32f3f0c1cf]
    (6) libremote.so: icinga::ApiFunction::Invoke(boost::intrusive_ptr<icinga::MessageOrigin> const&, boost::intrusive_ptr<icinga::Dictionary> const&) (+0x1d) [0x32f3ebc00d]
    (7) libremote.so: icinga::JsonRpcConnection::MessageHandler(icinga::String const&) (+0x48f) [0x32f3f0569f]
    (8) libremote.so: icinga::JsonRpcConnection::MessageHandlerWrapper(icinga::String const&) (+0x4b) [0x32f3f07e7b]
    (9) libbase.so: icinga::WorkQueue::WorkerThreadProc() (+0x492) [0x32f56f2442]
    (10) /usr/lib64/libboost_thread.so.1.53.0() [0x32f880c5c3]
    (11) /lib64/libpthread.so.0() [0x3d2e0079d1]
    (12) libc.so.6: clone (+0x6d) [0x3d2dce8b6d]


    i dont see ca.crt file on node also.


    Thanks
    Rahul

  • was following the troubleshooting steps and figured out that Issuer of certificate is the node itself



    copied ca.crt from another node and tested



    openssl s_client -CAfile ca.crt -cert dataplatform-zookeeper-prd-sg1-06.sd.int.crt -key dataplatform-zookeeper-prd-sg1-06.sd.int.key -connect icingamaster-infra-prd-sg1-01.sd.int:5665
    CONNECTED(00000003)
    depth=1 CN = Icinga CA
    verify return:1
    depth=0 CN = icingamaster-infra-prd-sg1-01.sd.int
    verify return:1



    but why failed node is not able to get ca.crt and initiate the communication



    ALso the issuer in the certificate doent seem to be correct


    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=dataplatform-zookeeper-prd-sg1-06.sd.int