Can't send external Icinga command: 401 Unauthorized

j4nd3r53n · April 4, 2023, 10:57am

I have this problem in my web interface, as in the title - both when I click Check now and when I try to open the Source tab, where I see the following stack trace:

Can't send external Icinga command: 401 Unauthorized. Please check your user credentials.

#0 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Command/Transport/ApiCommandTransport.php(301): Icinga\Module\Icingadb\Command\Transport\ApiCommandTransport->sendCommand()
#1 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Command/Transport/CommandTransport.php(111): Icinga\Module\Icingadb\Command\Transport\ApiCommandTransport->send()
#2 /usr/share/icingaweb2/modules/icingadb/application/controllers/HostController.php(89): Icinga\Module\Icingadb\Command\Transport\CommandTransport->send()
#3 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Web/Controller.php(490): Icinga\Module\Icingadb\Controllers\HostController->sourceAction()
#4 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Icinga\Module\Icingadb\Web\Controller->dispatch()
#5 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch()
#6 /usr/share/php/Icinga/Application/Web.php(290): Zend_Controller_Front->dispatch()
#7 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#8 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#9 {main}

Unfortunately I don’t know PHP in any detail; I have already searched extensively, and found this among others, but I don’t really understand whether it relates to my problem.

root@vogon:/var/log/apache2# icinga2 -V
icinga2 - The Icinga 2 network monitoring daemon (version: r2.13.7-1)

Copyright (c) 2012-2023 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Debian GNU/Linux
  Platform version: 11 (bullseye)
  Kernel: Linux
  Kernel version: 5.10.0-13-amd64
  Architecture: x86_64

Build information:
  Compiler: GNU 10.2.1
  Build host: runner-hh8q3bz2-project-575-concurrent-0
  OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

-----

root@vogon:/var/log/apache2# icinga2 feature list
Disabled features: compatlog debuglog elasticsearch gelf graphite influxdb influxdb2 livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker command icingadb mainlog notification

-----

Modules etc:

Icinga Web 2 Version 	2.11.4
Git commit 	11453bfa92a70a44efbf7f966f5e7f27e9300a28
PHP Version 	7.4.33
Git commit date 	2023-01-26

Loaded Libraries
icinga/icinga-php-library 	0.11.0
icinga/icinga-php-thirdparty 	0.11.0

Loaded Modules
doc 		2.11.4 	Configure
icingadb 		1.0.2 	Configure
Copyright © 2013-2023 Icinga GmbH

-----

Browser: Firefox 102.9.0esr (64bit)

-----

root@vogon:/var/log/apache2# php -v
PHP 7.4.33 (cli) (built: Feb 22 2023 20:07:47) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.33, Copyright (c), by Zend Technologies

moreamazingnick · April 4, 2023, 11:06am

you need an icinga2 api user with permissions:
https://icinga.com/docs/icinga-web/latest/modules/monitoring/doc/05-Command-Transports/

this user needs to be added in the icingadb module configuration:

j4nd3r53n · April 4, 2023, 12:35pm

OK - I went there and found the monitoring module disabled, so I enabled it. Now I see this error everywhere - this is from when I click the Create a New Command Transport button, but it broke all of the monitoring:

No backend has been configured

#0 /usr/share/icingaweb2/modules/monitoring/library/Monitoring/Backend/MonitoringBackend.php(76): Icinga\Module\Monitoring\Backend\MonitoringBackend::loadConfig()
#1 /usr/share/icingaweb2/modules/monitoring/application/controllers/ConfigController.php(262): Icinga\Module\Monitoring\Backend\MonitoringBackend::instance()
#2 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Module\Monitoring\Controllers\ConfigController->createtransportAction()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch()
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch()
#5 /usr/share/php/Icinga/Application/Web.php(290): Zend_Controller_Front->dispatch()
#6 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#8 {main}

and the module directory seems rather empty, actually:

# ll /etc/icingaweb2/modules/
total 4
drwxrws--- 2 www-data icingaweb2 4096 Mar 23 14:46 icingadb/

After disabling the monitoring module, things work again, but of course, I can’t run external commands.

rsx · April 4, 2023, 1:32pm

Could you share /etc/icingaweb2/modules/monitoring/commandtransports.ini (of course redacted)?

moreamazingnick · April 4, 2023, 1:43pm

why enable the monitoring module?

look into the module configuration of the icingadb module

j4nd3r53n · April 4, 2023, 2:48pm

Unfortunately, that file doesn’t exist:

root@vogon:~# ll /etc/icingaweb2/modules
total 4
drwxrws--- 2 www-data icingaweb2 4096 Mar 23 14:46 icingadb/

j4nd3r53n · April 4, 2023, 2:51pm

Sorry, I misunderstood - when I look at the icingadb module command transports, I see that a user is already defined there, which I have called root.

moreamazingnick · April 4, 2023, 3:37pm

check the password and compare with the api-users.conf
check the permissions of the user

after changing the password or permissions in icinga2 you need to restart the icinga2 service

j4nd3r53n · April 4, 2023, 4:13pm

That user isn’t defined in the web interface - should it be?

I copied the username and password from /etc/icinga2/conf.d/api-users.conf, and the passive checks work fine with these:

root@vogon:/var/log# cat /etc/icinga2/conf.d/api-users.conf
/**
 * The ApiUser objects are used for authentication against the API.
 */
object ApiUser "root" {
  password = "abcd1234567890"
  // client_cn = ""

  permissions = [ "*" ]
}

moreamazingnick · April 4, 2023, 5:20pm

so if you put this into the icingadb module config, does it work?

host can be 127.0.0.1
port should be 5665 except you changed it