Hi,
First of all, thanks for your effort, I really appreciate work you have done on icinga2. It is a greate piece of software.
I have unsucessfully tried to integrate icinga2 agent without direct connection to icinga2 master. Master is behind NAT, while agent ( it is supposed to be satellite) is directly accessible on internet.
What I have done :
- generated fqdn.crt adn fqdn.key on icinga client via ( icinga2 pki new-cert )
- copied manually ca.crt and trusted-master.crt from icinga master to icinga client.
- copied from fqdn.crt and fqdn.key of client to temporary directory on master and signed cert by issuing "icinga2 pki request"
- modified constants,conf, icinga2.conf, zones.conf an and feautures-available/api.conf ( accept_commands = true, accept_config = true)
When I added new agent on master via director it has resulted with following errors on client:
- [2017-12-27 19:09:39 +0100] warning/TlsStream: TLS stream was disconnected.
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:58186)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:39 +0100] warning/TlsStream: OpenSSL error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:37149)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:39 +0100] warning/TlsStream: OpenSSL error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:40814)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:39 +0100] warning/TlsStream: OpenSSL error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:8558)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:39 +0100] warning/TlsStream: OpenSSL error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:29458)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:39 +0100] warning/TlsStream: OpenSSL error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:39014)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:39 +0100] warning/TlsStream: OpenSSL error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
- [2017-12-27 19:09:39 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:18734)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:46 +0100] warning/TlsStream: TLS stream was disconnected.
- [2017-12-27 19:09:46 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:19115)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:46 +0100] warning/TlsStream: OpenSSL error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
- [2017-12-27 19:09:46 +0100] critical/ApiListener: Client TLS handshake failed (from [IP_of_gateway]:40332)
- Context:
- (0) Handling new API client connection
- [2017-12-27 19:09:46 +0100] information/ApiListener: New client connection from [IP_of_gateway]:40843 (no client certificate)
- [2017-12-27 19:09:57 +0100] information/ApiListener: New client connection from [IP_of_gateway]:9327 (no client certificate)
That error should be caused by SSL, because IP _of_gateway is not the same as icinga master FQDN, if I understand it correctly.
So my question is, if there is any workaround for agent integration when there cannot be direct connection from icinga agent to icinga master. Is there anything I can use in this case? Thanks for all your comments and wise suggestions.