Certificate validation failed for endpoint: code 18: self signed certificate


I am using docker-containers for the client setup for my icinga2 master-client setup and I have run into the issue that " Remote instance ‘client’ is not connected to ‘master’ " (Frontend)
Also, I get an error "Certificate validation failed for endpoint ‘master’ :code 18 : self signed certificate’

The certificate has been signed on the master.
Can someone please point out what can be done to fix this issue.



which version of Icinga 2 is used on the agent side? Did you manually HUP the icinga2 service on the agent after sending the certificate request?



Thanks for the quick response.
The icinga version is:
icinga2 - The Icinga 2 network monitoring daemon (version: r2.11.2-1).

I didn’t understand by manually HUP icinga service.


by HUP I meant to restart/reload the icinga2 service inside the container. There’s a known bug with 2.11.x where the received signed certificate is not automatically reloaded thus requiring a manual restart.


Sorry had mentioned the version of my master, the client is using :
icinga2 - The Icinga 2 network monitoring daemon (version: r2.10.5-1)

I hadn’t restarted the icinga2 service inside the container, tried it now but I am running into an issue with ‘Failing to get D-bus connection’


I have updated the Icinga2 version on my client to 2.11.2-1 and deployed it again.
Restarted the icinga2 service in the container, but now I run into another problem :
’ tail: cannot open ‘/var/log/icinga2/icinga2.log’ for reading: No such file or directory’

When I check the path the file icinga2.log is present there, any inputs?


Without knowing how your container is built and where that tail command is coming from, hard to guess. Can you share your git repo for creating the container image?

I removed the command line for “tail” from run file and built the docker image again.
Still after restarting the icinga2 service I’m facing the issue of certificate validation:
" Certificate validation failed for endpoint ‘master.com’: code 18: self signed certificate "

Best Regards

Looking at the Dockerfile, it says Debian Jessie and it doesn’t install Icinga from packages.icinga.com. So you’re using a very old version of Icinga 2 which I doubt being compatible with the current 2.11 release.

Any specific reason to use this project from 2017 and not build your own image? Can you explain in your own words what’s going on in this repo with setting up Icinga, e.g. how the certificate retrieval and configuration works?

No particular reason in using this repo.
The certificate retrieval is done by pki request to the master host.
icinga2 pki request
–key /etc/icinga2/pki/${ICINGA2_CLIENT_FQDN}.key
–cert /etc/icinga2/pki/${ICINGA2_CLIENT_FQDN}.crt
–trustedcert /etc/icinga2/pki/trusted-master.crt
–ca /etc/icinga2/pki/ca.crt

How’s the ticket variable being generated on the master host and then passed to the container?

Client ticket is generated on master and then the client ticket is added manually in the environment variables for the client side.

Ok, and which version of Icinga is used in the Docker image? exec into the Container and run icinga2 --version.

icinga2 --version

icinga2 - The Icinga 2 network monitoring daemon (version: r2.11.2-1)