not able to register icinga client to icinga master using custom port

This forum was archived to /woltlab and is now in read-only mode.
  • Hi All


    I am trying to register icinga client using command line with custom port which is ELB port 80 and my ELB configure


    ELB port 80 ==> istance port 5665


    it's working file when i try to register icinga client using node wizard


    Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
    Host [xx.example.com]:
    Port [80]:
    information/base: Writing private key to '/etc/icinga2/pki/client.key'.
    information/base: Writing X509 certificate to '/etc/icinga2/pki/client.crt'.
    information/cli: Fetching public certificate from master (xx.example.com, 80):


    But when i am trying to register client using command line . it is picking up default port 5665



    working


    icinga2 pki new-cert --cn $nodecn --key $pki_dir/$nodecn.key --cert $pki_dir/$nodecn.crt
    information/base: Writing private key to '/etc/icinga2/jira-dev-1.key'.
    information/base: Writing X509 certificate to '/etc/icinga2/jira-dev-1.crt'.


    working


    icinga2 pki save-cert --key $pki_dir/$nodecn.key --cert $pki_dir/$nodecn.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --host $ICINGA2_IP --port 80
    information/pki: Writing certificate to file '/etc/icinga2/pki/trusted-master.crt'.


    Not working (how to give master port in this command )


    icinga2 node setup --ticket $ticket --cn=$nodecn --endpoint ${ICINGA2_HOST},${ICINGA2_IP},80 --zone $nodecn --master_host ${ICINGA2_IP} --trustedcert /etc/icinga2/pki/trusted-master.crt --accept-commands --accept-config




    information/cli: Verifying ticket 'wdwje32389e2ejwd92w0220'.
    information/cli: Verifying master host connection information: host 'xx.example.com', port '5665'.
    information/cli: Verifying trusted certificate file '/etc/icinga2/pki/trusted-master.crt'.

  • Note: You shouldn't use any privileged port <1024 for Icinga 2 but the default 5665. Obviously your icinga2 master daemon is running as root then.

  • Note: You shouldn't use any privileged port <1024 for Icinga 2 but the default 5665. Obviously your icinga2 master daemon is running as root then.

    I am using default port 5665 on master .only thing that i want to do that all register request will go through 80 port as i mentioned above that my ELB is configured to forward all request come on 80 to 5665 port and its working when i try to register through node wizard . I need help on command line syntax please see below step .


    netstat -na |grep 5665
    tcp 0 0 0.0.0.0:5665 0.0.0.0:* LISTEN



    1. When i try register client through node wizard its successfully register ....


    ###################################################


    icinga2 node wizard
    Welcome to the Icinga 2 Setup Wizard!


    We'll guide you through all required configuration details.




    Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:
    Starting the Node setup routine...
    Please specifiy the common name (CN) []:client
    Please specify the master endpoint(s) this node should connect to:
    Master Common Name (CN from your master setup): xx.example.com
    Do you want to establish a connection to the master from this node? [Y/n]: y
    Please fill out the master connection information:
    Master endpoint host (Your master's IP address or FQDN): xx.example.com
    Master endpoint port [5665]: 80
    Add more master endpoints? [y/N]:
    Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
    Host [xx.example.com]:
    Port [80]:
    information/base: Writing private key to '/etc/icinga2/pki/client.key'.
    information/base: Writing X509 certificate to '/etc/icinga2/pki/client.crt'.
    information/cli: Fetching public certificate from master ( xx.example.com, 80):

    Certificate information:

    Subject: CN = xx.example.com
    Issuer: CN = Icinga CA
    Valid From: Jul 24 06:34:41 2016 GMT
    Valid Until: Jul 21 06:34:41 2031 GMT
    Fingerprint: xx xx xxx


    Is this information correct? [y/N]: y
    information/cli: Received trusted master certificate.


    Please specify the request ticket generated on your Icinga 2 master.
    (Hint: # icinga2 pki ticket --cn 'client'): djdhew83ej3e9ded3dwdedee32
    information/cli: Requesting certificate with ticket 'djdhew83ej3e9ded3dwdedee32'.


    warning/cli: Backup file '/etc/icinga2/pki/ca.crt.orig' already exists. Skipping backup.
    information/cli: Created backup file '/etc/icinga2/pki/client.orig'.
    information/cli: Writing signed certificate to file '/etc/icinga2/pki/client.crt'.
    information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
    Please specify the API bind host/port (optional):
    Bind Host []:
    Bind Port []:
    Accept config from master? [y/N]: y
    Accept commands from master? [y/N]: y
    information/cli: Disabling the Notification feature.
    Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
    information/cli: Enabling the Apilistener feature.
    warning/cli: Feature 'api' already enabled.
    warning/cli: Backup file '/etc/icinga2/features-available/api.conf.orig' already exists. Skipping backup.
    information/cli: Generating local zones.conf.
    information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
    warning/cli: Backup file '/etc/icinga2/zones.conf.orig' already exists. Skipping backup.
    information/cli: Updating constants.conf.
    warning/cli: Backup file '/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
    information/cli: Updating constants file '/etc/icinga2/constants.conf'.
    information/cli: Updating constants file '/etc/icinga2/constants.conf'.
    Done.
    ################################################


    2. when i am trying to register client using command line . Its connecting to default port 5665 when i run icinga2 node setup & icinga2 pki request command and in help menu their no option to give master port like in command icinga2 pki save-cert we have option to give port see ii and iii commands

    ########################################

    i) icinga2 pki new-cert --cn client --key $pki_dir/client.key --cert $pki_dir/client.crt


    information/base: Writing private key to '/etc/icinga2/pki/client.key'.
    information/base: Writing X509 certificate to '/etc/icinga2/pki/client.crt'.



    ii) icinga2 pki save-cert --key $pki_dir/client.key --cert $pki_dir/client.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --host eut-monitor.cloud.corporate.ge.com --port 80

    information/pki: Writing certificate to file '/etc/icinga2/pki/trusted-master.crt'.



    iii) icinga2 pki request --host eut-monitor.cloud.corporate.ge.com --port 80 --ticket $ticket --key $pki_dir/client.key --cert $pki_dir/client.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --ca $pki_dir/ca.crt

    information/cli: Writing signed certificate to file '/etc/icinga2/pki/client.crt'.
    information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.




    iv) icinga2 node setup --ticket $ticket --cn=client --endpoint xx.example.com,xx.example.com,80 --zone client --master_host [b]xx.example.com --trustedcert /etc/icinga2/pki/trusted-master.crt --accept-commands --accept-config[/b]


    information/cli: Verifying ticket djdhew83ej3e9ded3dwdedee32.
    information/cli: Verifying master host connection information: host 'xx.example.com', port '5665'. <<<<<<<
    information/cli: Verifying trusted certificate file '/etc/icinga2/pki/trusted-master.crt'.
    information/cli: Using the following CN (defaults to FQDN): 'client'.
    information/cli: Created backup file '/etc/icinga2/pki/client.key.orig'.
    warning/cli: Backup file '/etc/icinga2/pki/client.crt.orig' already exists. Skipping backup.
    information/base: Writing private key to '/etc/icinga2/pki/client.key'.
    information/base: Writing X509 certificate to '/etc/icinga2/pki/client.crt'.
    information/cli: Requesting a signed certificate from the master.
    critical/TcpSocket: Invalid socket: Connection timed out
    critical/cli: Cannot connect to host 'xx.example.com' on port '5665' <<<<<
    critical/cli: Failed to request certificate from Icinga 2 master.



    Their is no option to give port number like [b] icinga2 pki save-cert and icinga2 pki request have [/b]

    icinga2 node setup --help


    Command options:
    --zone arg The name of the local zone
    --master_host arg The name of the master host for auto-signing the csr
    --endpoint arg Connect to remote endpoint; syntax: cn[,host,port]
    --listen arg Listen on host,port
    --ticket arg Generated ticket number for this request
    --trustedcert arg Trusted master certificate file
    --cn arg The certificate's common name
    --accept-config Accept config from master
    --accept-commands Accept commands from master
    --master Use setup for a master instance



    Please suggest how to resolve this

  • Aha, interesting approach.


    You might try --master_host host[,port] which is missing in the help text.

    Thanks for quick help dnsmichi , it's works with --master_host xx.example.com,80 .