Please specify if this is a satellite/client setup (‘n’ installs a master setup) [Y/n]:
This means I’m on the Agent and have to run the master setup??? On the Agent I always run the satellite/client setup.
Please specify if this is a satellite/client setup (‘n’ installs a master setup) [Y/n]:
This means I’m on the Agent and have to run the master setup??? On the Agent I always run the satellite/client setup.
On Agent you always say “Y” there or just press enter
Now I’m again at this point: Please specify the request ticket generated on your Icinga 2 master(optional). (Hint: # icinga2 pki ticket --cn ‘icingaagent’):
So far so good. I did the master setup on the master correctly. But when apply icinga2 ca list I have no Fingerprint.
Please post the complete node wizard output, including your answers.
From Master:
We will guide you through all required configuration details.
Please specify if this is a satellite/client setup (‘n’ installs a master setup) [Y/n]: n
Starting the Master setup routine…
Please specify the common name (CN) [icingamaster2]: icingamaster2
Reconfiguring Icinga…
Checking for existing certificates for common name ‘icingamaster2’…
Certificate ‘/var/lib/icinga2/certs//icingamaster2.crt’ for CN ‘icingamaster2’ already existing. Skipping certificate generation.
Generating master configuration for Icinga 2.
‘api’ feature already enabled.Master zone name [master]:
Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: n
Please specify the API bind host/port (optional):
Bind Host :
Bind Port :Do you want to disable the inclusion of the conf.d directory [Y/n]: n
No! I asked you to run this at your agent, hence, the answer is no.
This was wrong
Is your client’s hostname really icingamaster2?
As I said, don’t use this means just hit enter.
Why? I’m on the Master here.
No, not the clients name, the master name.
Yeah, then please tell exactly what you’re doing. Otherwise it’s confusing (at least for me).
Why this? In the docs it says to enter a ticket here.
For CSR Auto-signing: yes for On Demand CSR Signing: no.
Server 1(Master, parent node) icingamaster2 (Icinga2 Core, Icingaweb+director, runs) should monitor Server 2 (Agent) icingaagent (Icinga2 Core, Monitor Plug Ins).
So I did the node wizard on the Master again and made ticket with icinga2 pki ticket --cn icingaagent:
909aa78e91c5abaec1c7d2feeb715876bd487b7c
Now the node wizard on the Agent:
Do you want to establish a connection to the parent node from this node? [Y/n]: y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): 10.0.0.104
Master/Satellite endpoint port [5665]:Add more master/satellite endpoints? [y/N]: n
Parent certificate information:Subject: CN = icingamster2
Issuer: CN = Icinga CA
Valid From: Nov 20 11:51:58 2019 GMT
Valid Until: Nov 16 11:51:58 2034 GMT
Fingerprint: E1 3C BA 67 6F 0D C9 9C A9 1A 2D B7 37 D5 0A E5 E2 E8 7D 33Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘icingaagent’): 909aa78e91c5abaec1c7d2feeb715876bd487b7c
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘10.0.0.104, 5665’. Please try again.Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘icingaagent’): 909aa78e91c5abaec1c7d2feeb715876bd487b7c
Please specify the API bind host/port (optional):
Bind Host :
Bind Port :Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: yReconfiguring Icinga…
Local zone name [icingaagent]:
Parent zone name [master]:Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: nDo you want to disable the inclusion of the conf.d directory [Y/n]: n
Done.
Now restart your Icinga 2 daemon to finish the installation!
No I can’t lock in Icingaweb2.
Alle konfigurierten Authentifizierungsmethoden sind fehlgeschlagen. Mehr Details dazu stehen im > Systemlog oder im Log von Icinga Web 2.
Syslog:
Nov 20 12:30:33 icingamaster2 icinga2[26780]: [2019-11-20 12:30:33 +0000] information/ApiListener: New client connection for ident ity ‘icingaagent’ from [10.0.0.28]:38124 (no Endpoint object found for identity)
Nov 20 12:30:33 icingamaster2 icinga2[26780]: [2019-11-20 12:30:33 +0000] warning/ApiListener: No data received on new API connect ion for identity ‘icingaagent’. Ensure that the remote endpoints are properly configured in a cluster setup.
…
critical/ApiListener: Client TLS handshake failed (from [10.0.0.28]:38066): Error: Socket was closed during TLS handshake.
off course, due to:
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘10.0.0.104, 5665’. Please try again.
Yes I know. But what and how is the solution? The second try as you can see it worked.
icingamster2 looks like a wrong CN name.
Ups! You are right! So ein Mist!
No connection to the parent node was specified.
Please copy the public CA certificate from your master/satellite
into ‘/var/lib/icinga2/certs//ca.crt’ before starting Icinga 2.Found public CA certificate in ‘/var/lib/icinga2/certs//ca.crt’.
Please verify that it is the same as on your master/satellite.
Ok, how do I verify it?
You could do that with openssl or ‘diff’, but you can also just replace it with the one from the master.