Certificate Error on joining Clients

Hy all,

ive got a problem when i try to join new Hosts to my icinga.

i found out that this must be something regarding the certificates…

on the client side ill start the onboarding with:
powershell.exe -executionpolicy unrestricted -command \MyShareToIcinga\Icinga\icinga_agent.ps1

and the agent.ps1 modul makes the onboarding (as always before)
Import-Module Icinga2Agent
Start-Sleep -m 500
# Install Agent and Connect to Server
$icinga = Icinga2AgentModule -DirectorUrl 'https://MyIcingaMaster/icingaweb2/director/'
-DirectorAuthToken ‘01234567890’ -InstallAgentVersion '2.11.4'
-DownloadUrl ‘\MyShareToIcinga\Icinga’ -ParentEndpoints 'smon03.intranet.stg'
-IgnoreSSLErrors -DebugMode

and during the Install ill get the following error.

Notice: Started script run...
Notice: Connected successfully to Icinga Director Self-Service API over API token.
Notice: Setting internal Agent Name to "SLOGMGMT02.intranet.stg"
Notice: Trying to fetch Host IP-Address for hostname: SLOGMGMT02.intranet.stg
Notice: Setting IP as primary IP for this host for all requests. Access it with &ipaddress& for all JSON requests.
Notice: Using Icinga version "", setting certificate directory to "C:\ProgramData\icinga2\etc\icinga2\pki"
Warning: Icinga 2 Agent does not seem to be installed on the system
Notice: Installing Icinga 2 Agent from local directory
Warning: Icinga 2 Agent Installer verification disabled.
Notice: Installing Icinga 2 Agent
Notice: Icinga 2 Agent installed.
Notice: Using Icinga version "2.11.4", setting certificate directory to "C:\ProgramData\icinga2\var\lib\icinga2\certs"
Notice: Found Icinga 2 Agent version 2.11.4 installed at "C:\Program Files\ICINGA2\"
Notice: Creating host "SLOGMGMT02.intranet.stg" over API token inside Icinga Director.
Notice: Writing host API-Key "01234567890" to "C:\ProgramData\icinga2\etc\icinga2\icingadirector.token"
Notice: Successfully fetched configuration for this host over Self-Service API.
Notice: Fetched ticket "01234567890" from Icinga Director
Notice: Generating Host certificates required by Icinga 2
Notice: information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\SLOGMGMT02.intranet.stg.key'.
information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\SLOGMGMT02.intranet.stg.crt'.
Notice: Storing Icinga 2 certificates
Notice: information/cli: Retrieving X.509 certificate for 'smon03.intranet.stg:5665'.

 Subject:     CN = smon03.intranet.stg
 Issuer:      CN = Icinga CA
 Valid From:  Jul  5 08:37:52 2018 GMT
 Valid Until: Jul  1 08:37:52 2033 GMT
 Fingerprint: .......

*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.

information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-master.crt'.
Notice: Certificate fingerprint: "012344567890"
Warning: CA fingerprint validation disabled
**Notice: Requesting Icinga 2 certificates**
**"atal: Exception calling "generateCertificates" with "0" argument(s): "critical/cli: !!! The certificate for CN 'SLOGMGMT02.intranet.stg' is valid and uptodate. Skipping automated renewal.**
**######## The script encountered several errors during run ########**
**"atal: Exception calling "generateCertificates" with "0" argument(s): "critical/cli: !!! The certificate for CN 'SLOGMGMT02.intranet.stg' is valid and uptodate. Skipping automated renewal.**
PS C:\Windows\system32>

On the Windows Client i can see that the certificate files arent on the DIR:

and from the icinga2 cli on the master i can see the folowing.

root@smon03:/var/lib/icinga2/certs# ls -l
total 16
-rw-r--r-- 1 nagios nagios 1720 Jul  5  2018 ca.crt
-rw-r--r-- 1 nagios nagios 1773 Jul  5  2018 smon03.intranet.stg.crt
-rw-r--r-- 1 nagios nagios 1663 Jul  5  2018 smon03.intranet.stg.csr
-rw------- 1 nagios nagios 3247 Jul  5  2018 smon03.intranet.stg.key

root@smon03:/var/lib/icinga2/certs# netstat -tulpen | grep icinga
tcp        0      0  *               LISTEN      109        218649185  12946/icinga2

root@smon03:/var/lib/icinga2/certs# openssl verify -verbose -CAfile /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/certs/smon03.intranet.stg.crt
/var/lib/icinga2/certs/smon03.intranet.stg.crt: OK

for me it seems as the icinga doesnt use any more its own certificates ???

does no one got a tip for me what i can test ?

Certificate stuff looks ok to me, tbh.
The certs should be under C:\ProgramData\icinga2\var\lib\icinga2\certs

Was the host connected at some time?

Please try a “clean” remove/install (if you didn’t do that already)

  1. Remove the host object from Icinga Director, deploy config.
  2. Uninstall Icinga2 Agent from Windows Host Icinga2Agent -RunUninstaller
  3. Remove C:\ProgramData\icinga2 from Windows host
  4. Run the installer with the Director self-service API again.

hy @log1c

on the client side none certificates were storred on the certs folder…

ive testet it with a couple of fresch clean installed vm’s.
on all vms ive got the same warning.

i think that the icinga2 node itself lost his own certificate.

from the CLI of the master i can see that the node doesnt got any certificates in the CA list…

root@smon03:/# icinga2 ca list

Fingerprint Timestamp Signed Subject

root@smon03:/# icinga2 ca list --all

Fingerprint Timestamp Signed Subject


so i think the monitoring lost its own internal binding to the CA ???

is there a option to regenerate this binding ?

icinga2 ca list only shows pending cert requests.

From the docs:


ca list cannot be used as historical inventory. Certificate signing requests older than 1 week are automatically deleted.

As your ca is retrieved by the setup wizard,my guess is that the problem lies somewhere else.
You say there are no certificates under C:\ProgramData\icinga2\var\lib\icinga2\certs
Could it be a permission issue (though that seems strange)

Have you tried what happens if you manually copy the masters ca certificate to the host?

the agent deployment powershell runs with admin permissions on the windows client.
and all the other files were created fine on the client.

still copied the CA files from another old host (where the agent still works fine) to a new host with the cert problem, restarted the icinga2 agent on the services…
but still the same problem.