Certificate validation failed: code 18: self signed certificate

Hi, because I am trying to run icinga2 in my enviroment but for about two weeks I couldn’t solve the issue with connecting icinga2 agent with master. It always fail with entry

information/ApiListener: New client connection for identity ‘ralph.mydomain.com’ from [192.168.0.73]:33668 (certificate validation failed: code 18: self signed certificate)

icinga2 - The Icinga 2 network monitoring daemon (version: r2.12.4-1)

System information:
Platform: Debian GNU/Linux
Platform version: 10 (buster)
Kernel: Linux
Kernel version: 4.19.0-16-amd64
Architecture: x86_64

Disabled features: command compatlog debuglog elasticsearch gelf graphite icingadb influxdb livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker ido-pgsql mainlog notification

Icinga Web 2 Version

2.8.2

Git commit

8a89839af94a247ee2149b2336c73b8251b477c0

PHP Version

7.3.27-1~deb10u1

monitoring 2.8.2
[2021-06-28 17:30:08 +0200] information/cli: Icinga application loader (version: r2.12.4-1)
[2021-06-28 17:30:08 +0200] information/cli: Loading configuration file(s).
[2021-06-28 17:30:08 +0200] information/ConfigItem: Committing config item(s).
[2021-06-28 17:30:08 +0200] information/ApiListener: My API identity: ralph.jazzy.cz
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 3 Hosts.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 Downtime.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 4 NotificationCommands.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 35 Notifications.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 2 HostGroups.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 4 Zones.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 2 Endpoints.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 ApiUser.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 235 CheckCommands.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 IdoPgsqlConnection.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 2 UserGroups.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 2 Users.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 18 Services.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
[2021-06-28 17:30:08 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2021-06-28 17:30:08 +0200] information/ScriptGlobal: Dumping variables to file ‘/var/cache/icinga2/icinga2.vars’
[2021-06-28 17:30:08 +0200] information/cli: Finished validating the configuration file(s).

I’ve installed master as is written here:
https://icinga.com/docs/icinga-2/latest/doc/02-installation/

and then installed agent and run node wizard on my testing enviroment. I’ve been through all the links related to this issue with absolutelly no progress. Icingaweb says that debiantest.mydomain.com is not connected to ralph.mydomain.com

I guess that there is issue with certificates, to be clear. So what am I supposed to provide to find the issue?
Thanks!

Check that you have followed all the steps regarding certificate creation and
especially signing as documented at
https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/
#signing-certificates-on-the-master

If you have further questions after going through those steps, feel free to
come back and let us know which part is giving you problems.

Regards,

Antony.

Thanks for answering Antony!

So I went through this and went through CSR Auto-Signing - same issue so I!ve tried second option on demand and also the same result.

I’ve re-run node wizard on master and agent multiple times, could I somehow make a mistake at the beginnig? Do I have to just remove some already generated certificates and start from the scratch?

So on the agent is debuglog on and heres the output

[2021-06-28 21:06:53 +0200] notice/ApiListener: New JSON-RPC client
[2021-06-28 21:06:53 +0200] notice/JsonRpcConnection: Received ‘icinga::Hello’ message from identity ‘ralph.mydomain.com’.
[2021-06-28 21:06:53 +0200] information/JsonRpcConnection: Closing anonymous connection [192.168.0.73]:37056 after 10 seconds.
[2021-06-28 21:06:53 +0200] warning/JsonRpcConnection: API client disconnected for identity ‘ralph.mydomain.com’
[2021-06-28 21:06:55 +0200] notice/CheckerComponent: Pending checkables: 0; Idle checkables: 0; Checks/s: 0
[2021-06-28 21:06:56 +0200] debug/ApiListener: Not connecting to Endpoint ‘debiantest.mydomain.com’ because that’s us.
[2021-06-28 21:06:56 +0200] notice/ApiListener: Current zone master: debiantest.mydomain.com
[2021-06-28 21:06:56 +0200] notice/ApiListener: Connected endpoints:
[2021-06-28 21:06:56 +0200] notice/ApiListener: Updating object authority for objects at endpoint ‘debiantest.mydomain.com’.
[2021-06-28 21:06:56 +0200] information/ApiListener: Reconnecting to endpoint ‘ralph…mydomain.com’ via host ‘192.168.0.73’ and port ‘5665’
[2021-06-28 21:06:56 +0200] warning/ApiListener: Certificate validation failed for endpoint ‘ralph…mydomain.com’: code 18: self signed certificate
[2021-06-28 21:06:56 +0200] information/ApiListener: New client connection for identity ‘ralph.mydomain.com’ to [192.168.0.73]:5665 (certificate validation failed: code 18: self signed certificate)

So after a week spent with documentation and forums I finally solved it out… I just deleted all generated certificates on master and agent a ran node wizard again (now buffed with all the knowledge) and it all just started working!

You pushed me into a correct way to fix this. Thank you very very much!

Excellent - glad you’ve got it sorted, and glad you understand more about how
the system fits together, too

Antony.