Certificate validation failed for endpoint': code 7: certificate signature failure

Hi!

I have some troubles connecting my master that is in private network with my satellite that is publicly accessible. I copied ca.crt from /var/lib/icinga2/certs on the master in to the same directory on the satellite (external server) and now I am getting an error that states “Certificate validation failed for endpoint ‘myendpoint’ : code 7: certificate signature failure”.
I configured other satellite (that is in the same private network) on the same way and it works perfectly. The problem arises with ca signing. I want to use on demand signing and with second satellite it worked without any problems, I got certificate request, signed it and the connection established, but I do not get any certificate request from external server, and that’s why I can not sign it.

zones.conf on the master:

object Endpoint "master1.com" {
}

object Endpoint "internsrv.com" {
  host = "IP addr" // The master actively tries to connect to the agent
  log_duration = 0 // Disable the replay log for command endpoint agents
}

object Zone "master" {
        endpoints = [ "master1.com" ]
}

object Endpoint "external.com" {
  host = "IP addr" // The master actively tries to connect to the agent
  log_duration = 0 // Disable the replay log for command endpoint agents
}


object Zone "internsrv.com" {
  endpoints = [ "internsrv.com" ]

  parent = "master"
}


object Zone "external.com"{
  endpoints = ["external.com"]
  parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

zones.conf on external.com:

object Endpoint "master1.com" {
}

object Zone "master" {
        endpoints = [ "master1.com" ]
}

object Endpoint "external.com" {
}

object Zone "external.com" {
        endpoints = [ "external.com" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

On all servers is Icinga2 2.12.3-1 installed. And all of them are running Debian.
netstat -tulpn shows that all servers are listening on 5665 port and icinga2 daemon -C does not show any errors. Api feature is enabled on all three servers.

Can someone please give me hint what to check? Or step by step explanation how should I create and update certificates on master AND on the satellites, I would really appreciate that. I checked the documentation, but I have not figured out. When I try to connect it when running icinga2 setup wizard, I get an error:
“critical/pki: Cannot connect to host ‘Master IP addr’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.”

I have limited access to the external server, so I need simplest possible solution.

Thanks in advance.

did you check wether hostname in icinga and for the ticket are the same?

did you use the node wizard ?

What do you exactly mean? I did not create any ticket. When using node wizard I have chosen that connection should not be established, because of the error I always get. Then I just copied ca.crt from master to the satellite, exactly what message in the node wizard stated.

Like said, when I use node wizard I allways get an error:
“critical/pki: Cannot connect to host ‘Master IP addr’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.”