Hi guys,
I have setup a new Icinga Master Host and would like to add Clients/Agents.
But during the “icinga2 node wizard” for a Client I get the error on the Master
[2023-05-06 10:25:00 +0200] information/ApiListener: New client connection for identity ‘xxxxxx’ from [xxxxxx]:56698 (certificate validation failed: code 18: self signed certificate)
On the Client I get
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘xxxx, 5665’. Please try again.
But the Port 5665 is reachable
Any Idea
Version used ((version: r2.13.7-1)
Operating System and version
System information:
Platform: Debian GNU/Linux
Platform version: 11 (bullseye)
Kernel: Linux
Kernel version: 5.10.0-22-cloud-amd64
Architecture: x86_64
Do you want to establish a connection to the parent node from this node? [Y/n]:
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): al2klimov.de
Master/Satellite endpoint port [5665]: 443
Add more master/satellite endpoints? [y/N]:
Parent certificate information:
Version: 3
Subject: CN = al2klimov.de
Issuer: C = US, O = Let's Encrypt, CN = R3
Valid From: Mar 27 11:01:08 2023 GMT
Valid Until: Jun 25 11:01:07 2023 GMT
Serial: 04:fb:4a:96:08:90:a1:a1:e3:4b:6c:aa:de:ec:c0:de:47:77
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: al2klimov.de
Fingerprint: 1B CE 57 96 68 18 E7 85 77 9C E0 D0 3E E2 3D F0 53 FE 63 2D 0C 3A D0 D8 D6 47 CE B6 53 E9 F7 43
Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn 'alexandersmbp2.int.netways.de'): 03639c659514349d7f419eedec2bffef09f3d6ae
Ah OK, yes of course I provide a Ticket, but as I described above, I get the error
2023-05-06 10:25:00 +0200] information/ApiListener: New client connection for identity ‘xxxxxx’ from [xxxxxx]:56698 (certificate validation failed: code 18: self signed certificate)
On the Client I get
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘xxxx, 5665’. Please try again.
Sorry,
but now I have a complete different Problem. If I setup an agent, the agent not listen on Port 5665. That’s complete crazy.
Any idea???
Just a hint. The agent is running in the Azure Cloud
agent:~# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!
We will guide you through all required configuration details.
Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: Y
Starting the Agent/Satellite setup routine...
Please specify the common name (CN) [agent]: agent
Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): icinga-master
Do you want to establish a connection to the parent node from this node? [Y/n]:
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): icinga-master
Master/Satellite endpoint port [5665]:
Add more master/satellite endpoints? [y/N]:
Parent certificate information:
Version: 3
Subject: CN = icinga-master
Issuer: CN = Icinga CA
Valid From: May 4 07:02:03 2023 GMT
Valid Until: Jun 4 07:02:03 2024 GMT
Serial: 59:01:be:43:c8:03:52:3b:8d:8a:28:f1:00:3b:53:fd:7b:a2:f0:cf
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: icinga-master
Fingerprint: 91 49 12 C7 58 B9 00 D4 99 E2 5B 94 B6 7A AA 5F 22 AA 18 F1 42 C5 9C 5C BC B9 E1 5C 17 80 71 F1
Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn 'agent'): 4872140e606442e4ca4be1f13050947f2cc45af8
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:
Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y
Reconfiguring Icinga...
Local zone name [agent]:
Parent zone name [master]:
Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]:
Do you want to disable the inclusion of the conf.d directory [Y/n]:
Disabling the inclusion of the conf.d directory...
Failed to disable the conf.d inclusion, it may already have been disabled.
Done.
Now restart your Icinga 2 daemon to finish the installation!
agent:~# service icinga2 restart
agent:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 524/sshd: /usr/sbin
tcp6 0 0 :::22 :::* LISTEN 524/sshd: /usr/sbin
udp 0 0 0.0.0.0:68 0.0.0.0:* 415/dhclient
Hi sorry now the icinga2 is running on client but I can’t add or register the Client on the master.
I get the following warning:
[2023-05-16 10:56:47 +0200] information/ApiListener: New client connection for identity 'server1' to [10.....]:5665 (certificate validation failed: code 7: certificate signature failure)
[2023-05-16 10:56:47 +0200] information/ApiListener: Finished reconnecting to endpoint 'server1' via host 'server1' and port '5665'
[2023-05-16 10:56:49 +0200] warning/ApiListener: Timeout while processing incoming connection from [::ffff:10....:51044
[2023-05-16 10:56:49 +0200] warning/ApiListener: No data received on new API connection from [::ffff:10.......]:51044 for identity 'server1'. Ensure that the remote endpoints are properly configured in a cluster setup.
[2023-05-16 10:56:57 +0200] information/ApiListener: Reconnecting to endpoint 'server1' via host 'server1' and port '5665'
[2023-05-16 10:56:57 +0200] warning/ApiListener: Certificate validation failed for endpoint 'server1': code 7: certificate signature failure