Auto Sign Hosts doesnt work

Hi there,

i had a strange problem, which i solved, but with a solution that doesnt make sense for me.

I have a current version of icinga2 running on a linux machine. I now wanted to include a host to be monitored by that system. By now i always chose that the host should connect to the server, this time i wanted to use on-demand signin.

So my steps were:

  • create a ticket on the server for the host (misstake - i went for on-demand)
  • install icinga2 on the host
  • copy the certificate from my server to the host
  • use the icinga wizard to setup
  • sign the certificate on the server via icinga ca -sign , after it showed up
  • configure the server to monitor the host

And it didnt work. Log gave me errors that the host is trying to come around with a self signed certificate.

But this gave me a perfectly fine output, naming my server ca & hostname of the client host:
openssl x509 -text -noout -in /var/lib/icinga2/certs/$(hostname -f).crt | grep CN=

So after a while of searching i compared my new host to an old one, and the only difference (except for
hostnames in certificates) was that the old one had a file named : “ticket” under /var/lib/icinga2/certs/

Next step i gave it a shot, created a new ticket for the new host on the server and created the file manually on the host. After that and a restart of icinga the client was monitored perfectly fine even though the ticket file got erased by the icinga client i guess.

Is there anyone who can guess what happend?
Did my initial creation of a ticket block the client for being installed via on-demand signin?

I´ll try to redo this with another server soon, to find out where i might have gone wrong.


I don’t understand this step, can you clarify what exactly you did there?

Hello Michael,

sure. After installing icinga via node wizard and choosing not to connect to the server from the host, i was given this statement:

Please copy the public CA certificate from your master/satelliteinto ‘/var/lib/icinga2/certs//ca.crt’ before starting Icinga 2.

And thats what i did.

I tested the whole thing without creating a ticket, now it works perfectly. It seems like creating a ticket on the server forces you to get that ticket on the client side, even if you want to go with the On-Demand Singing way.

Works great for me now, but might be nice for someone else to know.



not really, the ticket itself is a generated one-shot from the private key called TicketSalt. So once the hash is retrieved via pki ticket, nothing is cached locally on the master. Once the agent is setup, the passed ticket via CLI wizard is forwarded to parent instances where the passed ticket allows the master to automatically sign the certificate request. That being said, I don’t quite understand yet what happened there, except that you’re using the “satellite/master connects to agent” mode which requires the ca.crt being copied.


Hi there,

yes thats basically everything i did. Plus doing the misstake of gernerating a ticket, which for some reason made my client-server not connect, until i posted the ticket into there.

Very strange.

I added several more servers now, and no matter how i do it, just cant reproduce the error. So maybe if someone searches for such a problem, give it a shot with the ticket file.