Please specify if this is a satellite/client setup (‘n’ installs a master setup) [Y/n]:
This means I’m on the Agent and have to run the master setup??? On the Agent I always run the satellite/client setup.
On Agent you always say “Y” there or just press enter
2 Likes
Now I’m again at this point: Please specify the request ticket generated on your Icinga 2 master(optional). (Hint: # icinga2 pki ticket --cn ‘icingaagent’):
So far so good. I did the master setup on the master correctly. But when apply icinga2 ca list I have no Fingerprint.
Please post the complete node wizard output, including your answers.
1 Like
From Master:
We will guide you through all required configuration details.
Please specify if this is a satellite/client setup (‘n’ installs a master setup) [Y/n]: n
Starting the Master setup routine…
Please specify the common name (CN) [icingamaster2]: icingamaster2
Reconfiguring Icinga…
Checking for existing certificates for common name ‘icingamaster2’…
Certificate ‘/var/lib/icinga2/certs//icingamaster2.crt’ for CN ‘icingamaster2’ already existing. Skipping certificate generation.
Generating master configuration for Icinga 2.
‘api’ feature already enabled.Master zone name [master]:
Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: n
Please specify the API bind host/port (optional):
Bind Host :
Bind Port :Do you want to disable the inclusion of the conf.d directory [Y/n]: n
No! I asked you to run this at your agent, hence, the answer is no.
1 Like
This was wrong
Is your client’s hostname really icingamaster2?
1 Like
As I said, don’t use this means just hit enter.
1 Like
Why? I’m on the Master here.
No, not the clients name, the master name.
Yeah, then please tell exactly what you’re doing. Otherwise it’s confusing (at least for me).
1 Like
Why this? In the docs it says to enter a ticket here.
For CSR Auto-signing: yes for On Demand CSR Signing: no.
1 Like
Server 1(Master, parent node) icingamaster2 (Icinga2 Core, Icingaweb+director, runs) should monitor Server 2 (Agent) icingaagent (Icinga2 Core, Monitor Plug Ins).
So I did the node wizard on the Master again and made ticket with icinga2 pki ticket --cn icingaagent:
909aa78e91c5abaec1c7d2feeb715876bd487b7c
Now the node wizard on the Agent:
Do you want to establish a connection to the parent node from this node? [Y/n]: y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): 10.0.0.104
Master/Satellite endpoint port [5665]:Add more master/satellite endpoints? [y/N]: n
Parent certificate information:Subject: CN = icingamster2
Issuer: CN = Icinga CA
Valid From: Nov 20 11:51:58 2019 GMT
Valid Until: Nov 16 11:51:58 2034 GMT
Fingerprint: E1 3C BA 67 6F 0D C9 9C A9 1A 2D B7 37 D5 0A E5 E2 E8 7D 33Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘icingaagent’): 909aa78e91c5abaec1c7d2feeb715876bd487b7c
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘10.0.0.104, 5665’. Please try again.Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘icingaagent’): 909aa78e91c5abaec1c7d2feeb715876bd487b7c
Please specify the API bind host/port (optional):
Bind Host :
Bind Port :Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: yReconfiguring Icinga…
Local zone name [icingaagent]:
Parent zone name [master]:Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: nDo you want to disable the inclusion of the conf.d directory [Y/n]: n
Done.
Now restart your Icinga 2 daemon to finish the installation!
No I can’t lock in Icingaweb2.
Alle konfigurierten Authentifizierungsmethoden sind fehlgeschlagen. Mehr Details dazu stehen im > Systemlog oder im Log von Icinga Web 2.
Syslog:
Nov 20 12:30:33 icingamaster2 icinga2[26780]: [2019-11-20 12:30:33 +0000] information/ApiListener: New client connection for ident ity ‘icingaagent’ from [10.0.0.28]:38124 (no Endpoint object found for identity)
Nov 20 12:30:33 icingamaster2 icinga2[26780]: [2019-11-20 12:30:33 +0000] warning/ApiListener: No data received on new API connect ion for identity ‘icingaagent’. Ensure that the remote endpoints are properly configured in a cluster setup.
…
critical/ApiListener: Client TLS handshake failed (from [10.0.0.28]:38066): Error: Socket was closed during TLS handshake.
off course, due to:
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘10.0.0.104, 5665’. Please try again.
1 Like
Yes I know. But what and how is the solution? The second try as you can see it worked.
icingamster2 looks like a wrong CN name.
3 Likes
Ups! You are right! So ein Mist!
No connection to the parent node was specified.
Please copy the public CA certificate from your master/satellite
into ‘/var/lib/icinga2/certs//ca.crt’ before starting Icinga 2.Found public CA certificate in ‘/var/lib/icinga2/certs//ca.crt’.
Please verify that it is the same as on your master/satellite.
Ok, how do I verify it?
You could do that with openssl or ‘diff’, but you can also just replace it with the one from the master.
1 Like