Hello, and thanks in advance for any input!
I'm new to Icinga2. I worked with Nagios about a year ago, briefly. I'm glad to see that this fork resolves a couple of the things I didn't like about Nagios, and I'm really excited to start using it!
I have a basic monitoring server already configured, with Icinga 2 and Icinga Web 2. It's still pretty much just "out of the box" Icinga, which is configured to monitor 8 hosts at the moment (just ping-based "host alive" checks).
I'm now moving on to cofiguring agent-based monitoring. What I can gather from the documentation is that a "distributed monitoring" setup is the preferred way to do this, outlined in this guide: https://docs.icinga.com/icinga…d-monitoring-setup-master
I've followed that guide very closely, and have retraced my steps a couple times to make sure they were correctly applied. I can elaborate more as needed, but am not sure exactly what details may be useful.
The issue I'm running into is when running the "icinga2 node wizard" command on the Client. After entering the appropriate responses, I get the following error message:
- information/base: Writing private key to '/etc/icinga2/pki/widow.key'.
- information/base: Writing X509 certificate to '/etc/icinga2/pki/widow.crt'.
- information/cli: Fetching public certificate from master (10.1.2.151, 5665):
- critical/TcpSocket: Invalid socket: Connection timed out
- critical/pki: Cannot connect to host '10.1.2.151' on port '5665'
- critical/cli: Peer did not present a valid certificate.
For reference, sentinel is the hostname of my Icinga2 Master, and widow is the hostname of my Client.
I've tried to work through some basic troubleshooting steps, but am not sure where all to look. Here's what I've checked/confirmed:
on sentinel (Master) :
/var/lib/icinga2/ca exists
/etc/icinga2/pki/ contains the following: ca.crt sentinel.crt sentinel.csr sentinel.key
/etc/icinga2/features-enabled/api.conf looks like this:
- /**
- * The API listener is used for distributed monitoring setups.
- */
- object ApiListener "api" {
- cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
- key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
- ca_path = SysconfDir + "/icinga2/pki/ca.crt"
- bind_host = "192.168.1.151"
- bind_port = 5665
- ticket_salt = TicketSalt
- }
/etc/icinga2/constants.conf looks like this:
- /* The directory which contains the plugins from the Monitoring Plugins project. */
- const PluginDir = "/usr/lib/nagios/plugins"
- /* The directory which contains the Manubulon plugins.
- * Check the documentation, chapter "SNMP Manubulon Plugin Check Commands", for details.
- */
- const ManubulonPluginDir = "/usr/lib/nagios/plugins"
- /* The directory which you use to store additional plugins which ITL provides user contributed command definitions for.
- * Check the documentation, chapter "Plugins Contribution", for details.
- */
- const PluginContribDir = "/usr/lib/nagios/plugins"
- /* Our local instance name. By default this is the server's hostname as returned by `hostname --fqdn`.
- * This should be the common name from the API certificate.
- */
- const NodeName = "sentinel"
- /* Our local zone name. */
- const ZoneName = "sentinel"
- /* Secret key for remote node tickets */
- const TicketSalt = "5c705675de2073c913074db389bde90e"
And here's as far as I've made it through the client-side setup:
Ran command
(The guide didn't indicate I need to add --salt, but the command gave me an error when I didn't)
Added the client-pki-ticket user to /etc/icinga2/conf.d/api-users.conf as indicated:
Went back into the Master node, and ran the curl command to retrieve ticket:
I noticed this didn't give any text output. if I understood the documentation right, I should have received a ticket number for having done this, so at this point I believe I've done something wrong
I did check that my master node is listening on 5665 with the following:
This is the point I tried the icinga2 node wizard command, and got the results posted in the first code box. I'm not sure what else to check. Any assistance would be greatly appreciated!