icinga2 agent with master behind NAT - Client TLS handshake failed

This forum was archived to /woltlab and is now in read-only mode. Please register a new account on our new community platform.

You can create a thread on the new site and link to an archived thread. This archive is available as knowledge base, safe and secured.

More details here.
  • Hi,

    First of all, thanks for your effort, I really appreciate work you have done on icinga2. It is a greate piece of software.


    I have unsucessfully tried to integrate icinga2 agent without direct connection to icinga2 master. Master is behind NAT, while agent ( it is supposed to be satellite) is directly accessible on internet.


    What I have done :


    - generated fqdn.crt adn fqdn.key on icinga client via ( icinga2 pki new-cert )

    - copied manually ca.crt and trusted-master.crt from icinga master to icinga client.

    - copied from fqdn.crt and fqdn.key of client to temporary directory on master and signed cert by issuing "icinga2 pki request"

    - modified constants,conf, icinga2.conf, zones.conf an and feautures-available/api.conf ( accept_commands = true, accept_config = true)


    When I added new agent on master via director it has resulted with following errors on client:

    That error should be caused by SSL, because IP _of_gateway is not the same as icinga master FQDN, if I understand it correctly.


    So my question is, if there is any workaround for agent integration when there cannot be direct connection from icinga agent to icinga master. Is there anything I can use in this case? Thanks for all your comments and wise suggestions.

  • Hi,


    if I understand you correctly the log output comes from your client right?


    Which connection direction do you want to use? Master -> Client or Client -> Master?


    Please share your zones.conf from your master and client.

  • I want to use client as satellite and I want to use direction Master -> Client


    Zones.conf. on Master:


    object Endpoint "icinga.test.lan" {

    }


    object Zone "master" {

    endpoints = [ "icinga.test.lan" ]

    }


    And of course there is global zone defined in director


    object Zone "director-global" {

    parent = "master"

    global = true

    }



    Zones.conf on client:


    object Endpoint "icinga.test.lan" {}

    object Zone "master" {

    endpoints = [ "icinga.test.lan" ]

    }



    object Endpoint NodeName {

    }


    object Zone ZoneName {

    endpoints = [ NodeName ]

    parent = "master"

    }



    object Zone "director-global" {

    global = true

    }


    while in constants.conf there is definition of NodeName and ZoneName ( NodeName=ZoneName )