Hi,
I use the Icingaweb2 Director icinga2-agent-kickstart.bash script.
I made a small adjustment:
ICINGA2_CA_TICKET=$(icinga2 pki ticket --cn {{ grains.fqdn }} --salt "{{ salt['pillar.get']('ticketsalt') }}")
This works perfectly fine when I execute it from my LXC container:
# bash icinga2-agent-kickstart.bash
INFO: This should be a Debian system
check: icinga2 installed - OK: 2.12.3-1
INFO: Using new SSL directory: /var/lib/icinga2/certs
information/base: Writing private key to '/var/lib/icinga2/certs/librenms.example.com.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/certs/librenms.example.com.crt'.
information/base: Writing certificate signing request to '/var/lib/icinga2/certs/librenms.example.com.csr'.
information/cli: Retrieving TLS certificate for 'icinga.example.com:5665'.
Version: 3
Subject: CN = icinga.example.com
Issuer: CN = Icinga CA
Valid From: Jan 3 21:43:55 2021 GMT
Valid Until: Dec 31 21:43:55 2035 GMT
Serial: d4:28:33:35:09:73:f3:7f:bc:0e:3c:c2:28:65:ff:b7:70:2f:55:c8
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: icinga.example.com
Fingerprint: CA A0 92 B7 4D DE 74 76 AE 21 CD F7 D1 CC 9C AB 11 71 AC AD 5C C3 49 E3 0A 1C F2 5B 22 91 7C 8B
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file '/var/lib/icinga2/certs/trusted-master.crt'.
64f4ef0eeb1cba5061ce4a9a94f9c537ee97062a
information/cli: Writing CA certificate to file '/var/lib/icinga2/certs/ca.crt'.
information/cli: Writing signed certificate to file '/var/lib/icinga2/certs/librenms.example.com.crt'.
Writing config to /etc/icinga2/icinga2.conf
Writing config to /etc/icinga2/zones.conf
Writing config to /etc/icinga2/features-available/api.conf
warning/cli: Feature 'api' already enabled.
[2021-01-17 17:29:08 +0100] information/cli: Icinga application loader (version: r2.12.3-1)
[2021-01-17 17:29:08 +0100] information/cli: Loading configuration file(s).
[2021-01-17 17:29:08 +0100] information/ConfigItem: Committing config item(s).
[2021-01-17 17:29:08 +0100] information/ApiListener: My API identity: librenms.example.com
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 1 FileLogger.
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 1 IcingaApplication.
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 1 CheckerComponent.
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 3 Zones.
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 2 Endpoints.
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 1 ApiListener.
[2021-01-17 17:29:08 +0100] information/ConfigItem: Instantiated 235 CheckCommands.
[2021-01-17 17:29:08 +0100] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2021-01-17 17:29:08 +0100] information/cli: Finished validating the configuration file(s).
Please restart icinga2:
systemctl restart icinga2
Notice the echo of the variable ICINGA2_CA_TICKET
: 64f4ef0eeb1cba5061ce4a9a94f9c537ee97062a
When I execute from Saltstack:
----------
ID: gen_certificate
Function: cmd.run
Name: bash /root/icinga2-agent-kickstart.bash
Result: False
Comment: Command "bash /root/icinga2-agent-kickstart.bash" run
Started: 16:28:35.880497
Duration: 1547.181 ms
Changes:
----------
pid:
130306
retcode:
1
stderr:
INFO: This should be a Debian system
INFO: Using new SSL directory: /var/lib/icinga2/certs
ERROR: Could not retrieve final certificate from host icinga.example.com
stdout:
check: icinga2 installed - OK: 2.12.3-1
[2021-01-17 17:28:36 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
[2021-01-17 17:28:36 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
information/base: Writing private key to '/var/lib/icinga2/certs/librenms.example.com.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/certs/librenms.example.com.crt'.
information/base: Writing certificate signing request to '/var/lib/icinga2/certs/librenms.example.com.csr'.
[2021-01-17 17:28:37 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
[2021-01-17 17:28:37 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
information/cli: Retrieving TLS certificate for 'icinga.example.com:5665'.
Version: 3
Subject: CN = icinga.example.com
Issuer: CN = Icinga CA
Valid From: Jan 3 21:43:55 2021 GMT
Valid Until: Dec 31 21:43:55 2035 GMT
Serial: d4:28:33:35:09:73:f3:7f:bc:0e:3c:c2:28:65:ff:b7:70:2f:55:c8
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: icinga.example.com
Fingerprint: CA A0 92 B7 4D DE 74 76 AE 21 CD F7 D1 CC 9C AB 11 71 AC AD 5C C3 49 E3 0A 1C F2 5B 22 91 7C 8B
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file '/var/lib/icinga2/certs/trusted-master.crt'.
[2021-01-17 17:28:35 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
[2021-01-17 17:28:35 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
64f4ef0eeb1cba5061ce4a9a94f9c537ee97062a
[2021-01-17 17:28:37 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
[2021-01-17 17:28:37 +0100] warning/Application: Failed to adjust resource limit for open file handles (RLIMIT_NOFILE) with error "Operation not permitted"
information/cli: Writing CA certificate to file '/var/lib/icinga2/certs/ca.crt'.
critical/cli: !!! Invalid ticket for CN 'librenms.example.com'.
Again please notice the echo of the ticket: 64f4ef0eeb1cba5061ce4a9a94f9c537ee97062a
.
But it gives the error critical/cli: !!! Invalid ticket for CN 'librenms.klapwijk.it'.
What am I doing wrong?
It is the EXACT same script, but one is executed from Saltstack, the other directly from Bash.
What am I missing, or is this a bug?
Thank you!