Either you go with generating the ticket on the master which holds the private CA key/TicketSalt, and copy the generated ticket into the client CLI command. That will render the master to automatically sign the certificate signing request. This is called “CSR auto-signing” in the docs.
Or you’ll leave this empty, the signing request is forwarded to the master, and manually sign the request via ca list/sign on the master. This is called “On-demand CSR signing” in the docs, available since 2.8.
Ok, the Agent showed up in the dashboard of Icingaweb2(installed on the Master) for ca. 40 seconds and disappeared. I did nothing! This is weird.
warning/ApiListener: No data received on new API connection for identity ‘icingaagent’. Ensure that the remote endpoints are properly configured in a cluster setup
So I made a new endpoint in Director with clusterzone icingamaster. When trying to deply it this pops up:
Unable to authenticate, please check your API credentials (RestApiClient.php:149)
For agents you don’t need to create and endpoint object manually. This is done by the director automatically while adding a host object (with answering Icinga2 Agent with yes).
The second error sounds like credential mismatch. Verify your api user against the director database entry:
I’m sorry but for me it sounds confusing. Your are talking about two machines but report 3 ip addresses. You are trying to create to create a ticker using icinga2-agent1.localdomain but the log reports an ip address as CN:
information/JsonRpcConnection: Received certificate request for CN ‘10.0.0.23’ not signed by our CA
Please be aware that Hostname in the director and ticket’s CN have to be identical and they are case sensitive (recommended is fqdn).
You’re trying to use CSR Auto-Signing, however, I’d recommend to use On-Demand CSR Signing instead as I find it easier for beginners. To do so you just need to run
icinga2 node wizard
at the agent (remember CN accordance). During this run Parent certificate information: has to appear otherwise your master setup is faulty or you have a network issue.
Then run
icinga2 ca list
at the master. If there is no new entry in the list something must be totally wrong with your setup. If there is a new entry, you need to sign it with
icinga2 ca sign <fingerprint>
Next step is to add this host to the director (remember CN accordance).