Hy all,
ive got a problem when i try to join new Hosts to my icinga.
i found out that this must be something regarding the certificates…
on the client side ill start the onboarding with:
powershell.exe -executionpolicy unrestricted -command \MyShareToIcinga\Icinga\icinga_agent.ps1
and the agent.ps1 modul makes the onboarding (as always before)
Import-Module Icinga2Agent
Start-Sleep -m 500
# Install Agent and Connect to Server
$icinga = Icinga2AgentModule -DirectorUrl 'https://MyIcingaMaster/icingaweb2/director/'
-DirectorAuthToken ‘01234567890’ -InstallAgentVersion '2.11.4'
-DownloadUrl ‘\MyShareToIcinga\Icinga’ -ParentEndpoints 'smon03.intranet.stg'
-IgnoreSSLErrors -DebugMode
-RunInstaller
$icinga.install();
and during the Install ill get the following error.
Notice: Started script run...
Notice: Connected successfully to Icinga Director Self-Service API over API token.
Notice: Setting internal Agent Name to "SLOGMGMT02.intranet.stg"
Notice: Trying to fetch Host IP-Address for hostname: SLOGMGMT02.intranet.stg
Notice: Setting IP 10.11.252.205 as primary IP for this host for all requests. Access it with &ipaddress& for all JSON requests.
Notice: Using Icinga version "", setting certificate directory to "C:\ProgramData\icinga2\etc\icinga2\pki"
Warning: Icinga 2 Agent does not seem to be installed on the system
Notice: Installing Icinga 2 Agent from local directory
Warning: Icinga 2 Agent Installer verification disabled.
Notice: Installing Icinga 2 Agent
Notice: Icinga 2 Agent installed.
Notice: Using Icinga version "2.11.4", setting certificate directory to "C:\ProgramData\icinga2\var\lib\icinga2\certs"
Notice: Found Icinga 2 Agent version 2.11.4 installed at "C:\Program Files\ICINGA2\"
Notice: Creating host "SLOGMGMT02.intranet.stg" over API token inside Icinga Director.
Notice: Writing host API-Key "01234567890" to "C:\ProgramData\icinga2\etc\icinga2\icingadirector.token"
Notice: Successfully fetched configuration for this host over Self-Service API.
Notice: Fetched ticket "01234567890" from Icinga Director
Notice: Generating Host certificates required by Icinga 2
Notice: information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\SLOGMGMT02.intranet.stg.key'.
information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\SLOGMGMT02.intranet.stg.crt'.
Notice: Storing Icinga 2 certificates
Notice: information/cli: Retrieving X.509 certificate for 'smon03.intranet.stg:5665'.
Subject: CN = smon03.intranet.stg
Issuer: CN = Icinga CA
Valid From: Jul 5 08:37:52 2018 GMT
Valid Until: Jul 1 08:37:52 2033 GMT
Fingerprint: .......
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-master.crt'.
Notice: Certificate fingerprint: "012344567890"
Warning: CA fingerprint validation disabled
**Notice: Requesting Icinga 2 certificates**
**"atal: Exception calling "generateCertificates" with "0" argument(s): "critical/cli: !!! The certificate for CN 'SLOGMGMT02.intranet.stg' is valid and uptodate. Skipping automated renewal.**
**######## The script encountered several errors during run ########**
**"atal: Exception calling "generateCertificates" with "0" argument(s): "critical/cli: !!! The certificate for CN 'SLOGMGMT02.intranet.stg' is valid and uptodate. Skipping automated renewal.**
1
PS C:\Windows\system32>
On the Windows Client i can see that the certificate files arent on the DIR:
C:\ProgramData\icinga2\etc\icinga2\pki
and from the icinga2 cli on the master i can see the folowing.
root@smon03:/var/lib/icinga2/certs# ls -l
total 16
-rw-r--r-- 1 nagios nagios 1720 Jul 5 2018 ca.crt
-rw-r--r-- 1 nagios nagios 1773 Jul 5 2018 smon03.intranet.stg.crt
-rw-r--r-- 1 nagios nagios 1663 Jul 5 2018 smon03.intranet.stg.csr
-rw------- 1 nagios nagios 3247 Jul 5 2018 smon03.intranet.stg.key
root@smon03:/var/lib/icinga2/certs# netstat -tulpen | grep icinga
tcp 0 0 0.0.0.0:5665 0.0.0.0:* LISTEN 109 218649185 12946/icinga2
root@smon03:/var/lib/icinga2/certs#
root@smon03:/var/lib/icinga2/certs# openssl verify -verbose -CAfile /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/certs/smon03.intranet.stg.crt
/var/lib/icinga2/certs/smon03.intranet.stg.crt: OK
root@smon03:/var/lib/icinga2/certs#
for me it seems as the icinga doesnt use any more its own certificates ???