Absolute Beginner

dnsmichi · November 18, 2019, 2:53pm

Either you go with generating the ticket on the master which holds the private CA key/TicketSalt, and copy the generated ticket into the client CLI command. That will render the master to automatically sign the certificate signing request. This is called “CSR auto-signing” in the docs.

Or you’ll leave this empty, the signing request is forwarded to the master, and manually sign the request via ca list/sign on the master. This is called “On-demand CSR signing” in the docs, available since 2.8.

Cheers,
Michael

bricasti · November 18, 2019, 3:08pm

Ok but how do I do that:

Generated a private ticket salt stored in the TicketSalt constant, set as ticket_salt attribute inside the api feature.

?

dnsmichi · November 18, 2019, 3:24pm

If you ran the master setup with the node wizard, that’s already done.

Go on and try signing the request.

bricasti · November 18, 2019, 3:31pm

edit:

root@icingamaster:/etc/icinga2# icinga2 ca list
Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|--------------------------|--------|--------
9ed1bf876f5a88969672a071629b4ee5730fddd3e67f905e094c0b7ed635e4a9 | Nov 15 04:09:58 2019 GMT | | CN = icingaagent
root@icingamaster:/etc/icinga2# icinga2 ca sign 9ed1bf876f5a88969672a071629b4ee5730fddd3e67f905e094c0b7ed635e4a9
information/cli: Signed certificate for ‘CN = icingaagent’.

bricasti · November 18, 2019, 3:59pm

Ok, the Agent showed up in the dashboard of Icingaweb2(installed on the Master) for ca. 40 seconds and disappeared. I did nothing! This is weird.

warning/ApiListener: No data received on new API connection for identity ‘icingaagent’. Ensure that the remote endpoints are properly configured in a cluster setup

So I made a new endpoint in Director with clusterzone icingamaster. When trying to deply it this pops up:

Unable to authenticate, please check your API credentials (RestApiClient.php:149)

rsx · November 19, 2019, 5:48am

For agents you don’t need to create and endpoint object manually. This is done by the director automatically while adding a host object (with answering Icinga2 Agent with yes).

The second error sounds like credential mismatch. Verify your api user against the director database entry:

select * from icinga_apiuser;

bricasti · November 19, 2019, 8:38am

How do I do that? where can I look this up?

unic · November 19, 2019, 9:16am

Hi, you will find it in your api.conf file:

rsx · November 19, 2019, 9:17am

If you use MySQL/MariaDB:

mysql -u root -p director
select * from icinga_apiuser;

and compare that with your ApiUser in /etc/icinga2/conf.d/api-users.conf.

bricasti · November 19, 2019, 9:17am

I know, but the password is correct.

bricasti · November 19, 2019, 9:19am

Ok, the password doesn’t match with the api-users.conf.

So, now I fixed it.

bricasti · November 19, 2019, 9:45am

critical/config: Error: Validation failed for object ‘icingaagent’ of type ‘Zone’; Attribute ‘zone’: Object ‘icingamaster’ of type ‘Zone’ does not exist. Location: in [stage]/zones.d/icingamaster/agent_zones.conf: 1:0-1:24 [stage]/zones.d/icingamaster/agent_zones.conf(1): object Zone “icingaagent” {

But it does.

[stage]/zones.d/icingamaster/agent_zones.conf

What path is that, I can’t find it on my icingamaster.

rsx · November 19, 2019, 9:50am

This is a typical subsequent error when the zone for that host object is not set in the director.

/var/lib/icinga2/api/packages/director/<Stage name>

bricasti · November 19, 2019, 10:04am

in:

/var/lib/icinga2/api/packages/director

I have only :

63d4d22c-9c48-4de9-a980-097a2ed10561 active.conf include.conf

rsx · November 19, 2019, 10:33am

The full path is then:
/var/lib/icinga2/api/packages/director/63d4d22c-9c48-4de9-a980-097a2ed10561/zones.d/icingamaster/agent_zones.conf

bricasti · November 19, 2019, 2:25pm

Ok, I still get no connection.

Running the node-wizard on the agent and trying to to sign with the

icinga2 pki ticket --cn icinga2-agent1.localdomain

generated certification this comes up

icinga2 critical/cli: Failed to fetch signed certificate

In Wireshark i can see there is a problem between the connection of Master and Agent:

312 24.353840 10.0.0.103 10.0.0.28 TCP 60 5665 → 41702 [RST] Seq=6465 Win=0 Len=0

I’m at a loss now. The Docs help unfortunately also not further.

rsx · November 20, 2019, 6:30am

I’m sorry but for me it sounds confusing. Your are talking about two machines but report 3 ip addresses. You are trying to create to create a ticker using icinga2-agent1.localdomain but the log reports an ip address as CN:

information/JsonRpcConnection: Received certificate request for CN ‘10.0.0.23’ not signed by our CA

Please be aware that Hostname in the director and ticket’s CN have to be identical and they are case sensitive (recommended is fqdn).

You’re trying to use CSR Auto-Signing, however, I’d recommend to use On-Demand CSR Signing instead as I find it easier for beginners. To do so you just need to run

icinga2 node wizard

at the agent (remember CN accordance). During this run Parent certificate information: has to appear otherwise your master setup is faulty or you have a network issue.

Then run

icinga2 ca list

at the master. If there is no new entry in the list something must be totally wrong with your setup. If there is a new entry, you need to sign it with

icinga2 ca sign <fingerprint>

Next step is to add this host to the director (remember CN accordance).

bricasti · November 20, 2019, 9:25am

Sorry, I just copy&pasted it from the docs to show what I meant. I did not used icinga2-agent1.localdomain . My fault!

bricasti · November 20, 2019, 9:42am

But your link says " On-Demand CSR Signing: On the master".

rsx · November 20, 2019, 9:45am

Yes, you start at the agent.

icinga2 node wizard

This creates a request at the master (or more precisely the reload creates it). And then the request needs to be signed at the master using

icinga2 ca sign <fingerprint>