i'm trying to setup an icinga-client by icinga2 node setup with following cmd:
Because the master (internal-Network) is not accessible from the Client (DMZ), I've already created the certs on the master and stored on the client in /etc/icinga2/pki/:
The icinga2 node setup fails, see the response:
- information/cli: Verifying ticket '<TICKET_SALT>'.
- information/cli: Verifying master host connection information: host '<MASTER_FQDN>', port '5665'.
- information/cli: Verifying trusted certificate file '/etc/icinga2/pki/trusted-master.crt'.
- information/cli: Using the following CN (defaults to FQDN): '<CLIENT_FQDN>'.
- information/cli: Created backup file '/etc/icinga2/pki/<CLIENT_FQDN>.key.orig'.
- information/cli: Created backup file '/etc/icinga2/pki/<CLIENT_FQDN>.crt.orig'.
- information/base: Writing private key to '/etc/icinga2/pki/<CLIENT_FQDN>.key'.
- information/base: Writing X509 certificate to '/etc/icinga2/pki/<CLIENT_FQDN>.crt'.
- information/cli: Requesting a signed certificate from the master.
- critical/TcpSocket: Invalid socket: Connection timed out
- critical/cli: Cannot connect to host '<MASTER_FQDN>' on port '5665'
- critical/cli: Failed to request certificate from Icinga 2 master
As you can see, the CLI tries to recreate the client-cert with the masters CA.
Is it possible to use icinga2 node setup without contacting the master-server? Or do I have to setup the config manually (wich is very error-prone)?
Any further suggestions for this scenario?
Thanks for your help!