Can not add a new Client to Icinga Master Host

Hi guys,
I have setup a new Icinga Master Host and would like to add Clients/Agents.
But during the “icinga2 node wizard” for a Client I get the error on the Master
[2023-05-06 10:25:00 +0200] information/ApiListener: New client connection for identity ‘xxxxxx’ from [xxxxxx]:56698 (certificate validation failed: code 18: self signed certificate)

On the Client I get
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘xxxx, 5665’. Please try again.

But the Port 5665 is reachable
Any Idea

• Version used ((version: r2.13.7-1)
• Operating System and version
  System information:
  Platform: Debian GNU/Linux
  Platform version: 11 (bullseye)
  Kernel: Linux
  Kernel version: 5.10.0-22-cloud-amd64
  Architecture: x86_64
• Enabled features (icinga2 feature list)
  Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb influxdb2 livestatus opentsdb perfdata statusdata syslog
  Enabled features: api checker icingadb mainlog notification)

Hello Joern!

have you tried to provide a ticket in the wizard?

Best,
A/K

Hi,
don’t know what you mean with “provide a ticket in the wizard?”

Cheers
Joern

Do you want to establish a connection to the parent node from this node? [Y/n]:
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): al2klimov.de
Master/Satellite endpoint port [5665]: 443

Add more master/satellite endpoints? [y/N]:
Parent certificate information:

 Version:             3
 Subject:             CN = al2klimov.de
 Issuer:              C = US, O = Let's Encrypt, CN = R3
 Valid From:          Mar 27 11:01:08 2023 GMT
 Valid Until:         Jun 25 11:01:07 2023 GMT
 Serial:              04:fb:4a:96:08:90:a1:a1:e3:4b:6c:aa:de:ec:c0:de:47:77

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   al2klimov.de
 Fingerprint:         1B CE 57 96 68 18 E7 85 77 9C E0 D0 3E E2 3D F0 53 FE 63 2D 0C 3A D0 D8 D6 47 CE B6 53 E9 F7 43

Is this information correct? [y/N]: y

Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'alexandersmbp2.int.netways.de'): 03639c659514349d7f419eedec2bffef09f3d6ae

Ah OK, yes of course I provide a Ticket, but as I described above, I get the error

2023-05-06 10:25:00 +0200] information/ApiListener: New client connection for identity ‘xxxxxx’ from [xxxxxx]:56698 (certificate validation failed: code 18: self signed certificate)

On the Client I get
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘xxxx, 5665’. Please try again.

On the master you get only that message while setting up the node? Do you get anything more with debug log enabled?

Sorry,
but now I have a complete different Problem. If I setup an agent, the agent not listen on Port 5665. That’s complete crazy.
Any idea???
Just a hint. The agent is running in the Azure Cloud

agent:~# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: Y

Starting the Agent/Satellite setup routine...

Please specify the common name (CN) [agent]: agent

Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): icinga-master

Do you want to establish a connection to the parent node from this node? [Y/n]:
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): icinga-master
Master/Satellite endpoint port [5665]:

Add more master/satellite endpoints? [y/N]:
Parent certificate information:

 Version:             3
 Subject:             CN = icinga-master
 Issuer:              CN = Icinga CA
 Valid From:          May  4 07:02:03 2023 GMT
 Valid Until:         Jun  4 07:02:03 2024 GMT
 Serial:              59:01:be:43:c8:03:52:3b:8d:8a:28:f1:00:3b:53:fd:7b:a2:f0:cf

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   icinga-master
 Fingerprint:         91 49 12 C7 58 B9 00 D4 99 E2 5B 94 B6 7A AA 5F 22 AA 18 F1 42 C5 9C 5C BC B9 E1 5C 17 80 71 F1

Is this information correct? [y/N]: y

Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'agent'): 4872140e606442e4ca4be1f13050947f2cc45af8
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:

Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y

Reconfiguring Icinga...

Local zone name [agent]:
Parent zone name [master]:

Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]:

Do you want to disable the inclusion of the conf.d directory [Y/n]:
Disabling the inclusion of the conf.d directory...
Failed to disable the conf.d inclusion, it may already have been disabled.

Done.

Now restart your Icinga 2 daemon to finish the installation!
agent:~# service icinga2 restart
agent:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      524/sshd: /usr/sbin
tcp6       0      0 :::22                   :::*                    LISTEN      524/sshd: /usr/sbin
udp        0      0 0.0.0.0:68              0.0.0.0:*                           415/dhclient

Does it run at all? (ps -efH)

Yes Icinga2 is running

ps -efH|grep icinga
nagios       707       1  0 May10 ?        00:00:25   /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
nagios       725     707  0 May10 ?        00:00:03     /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
nagios       728     725  0 May10 ?        00:00:00       /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
root        1558    1548  0 19:41 pts/0    00:00:00               grep icinga

Which Icinga features are enabled? (icinga2 feature list)

Hi sorry for my late answer

icinga2 feature list
Disabled features: command compatlog elasticsearch gelf graphite influxdb influxdb2 livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker debuglog icingadb mainlog notification

This is a crazy issue

What does the Icinga log say about the API?

Hi sorry now the icinga2 is running on client but I can’t add or register the Client on the master.
I get the following warning:

[2023-05-16 10:56:47 +0200] information/ApiListener: New client connection for identity 'server1' to [10.....]:5665 (certificate validation failed: code 7: certificate signature failure)
[2023-05-16 10:56:47 +0200] information/ApiListener: Finished reconnecting to endpoint 'server1' via host 'server1' and port '5665'
[2023-05-16 10:56:49 +0200] warning/ApiListener: Timeout while processing incoming connection from [::ffff:10....:51044
[2023-05-16 10:56:49 +0200] warning/ApiListener: No data received on new API connection from [::ffff:10.......]:51044 for identity 'server1'. Ensure that the remote endpoints are properly configured in a cluster setup.
[2023-05-16 10:56:57 +0200] information/ApiListener: Reconnecting to endpoint 'server1' via host 'server1' and port '5665'
[2023-05-16 10:56:57 +0200] warning/ApiListener: Certificate validation failed for endpoint 'server1': code 7: certificate signature failure

Sounds like

I’d wait for v2.14.

Hm so I can’t use this Version???
Should I downgrade?

There was some mistakes of mine