I have followed all the steps at About - Icinga Certificate Monitoring and the subsequent guide pages. Everything went well (after I broke my Icinga QA 10 times, lol). However, now that I tried to create an apply rule for multiple certificates to show, this is what I see in monitoring:
Also want to clarify, I can run icingacli x509 commands.
Some basic troubleshooting that I can think of off hand:
What’s the executed command? You can grab this from the icinga2 logs (can’t recall if debug logs need to be on), or if you have the director module installed, you can grab it from the web ui by clicking the inspect link. What’s the output when you manually run the executed command on the cli?
Is the command executed from the master or another node? In a distributed environment, you could have this command executing on the wrong box (I am assuming single master though)
If it works manually as root the user which is used by Icinga does not have access to the configuration. So assigning the user to the group which has access should solve this, if SELinux is not enforcing as this would be another problem.
To @dgoetz 's point, I’m kind of interested if selinux is enabled or disabled – what’s the output of getenforce
If the output is Enabled, can you try setenforce 0 (this does not disable selinux, but instead puts it in permissive mode) and then try having Icinga run the check again.
To test commands as the Icinga user, you can run sudo -u icinga <command>
Edit: looks like @dgoetz beat me to a different approach
icingacli is executable by every user, but to function properly it requires the configuration. The configuration is stored in /etc/icingaweb2 which is by default readable for the icingaweb2 group but not the icinga user. By adding it to the group access is granted. The running instance will not change its user’s groupmembership, so if the service is not restarted it will have no effect, because of this the service gets restarted in the second command.