Hello guys,
I have recently renamed my Icinga server, as a result my service won’t start now.
After i have changed the name i also edited the constants.conf file in order to update my NodeName and ZoneName constants.
Even though i changed the constants when i use icinga2 object list --type Endpoint i see the old name of my server…
When i try to restart my icinga2 service i get error that is saying that the endpoint with the name of my new name does not exist.
Will appreciate your help.
Thanks in advance.
take a look into your zones.conf as well as cleaning /var/lib/icinga2/api/packages/director if you are using the director
A name change also affects you Icinga CA, ans since it no longer matches the CA signed certificates, all the issued certificates for all endpoints will become invalid and thus you will get an error about invalid endpoints.
To remedy this issue you will have to revoke all the endpoint keys you created and start generating a new CA and keys to all the endpoints you have defined.
Hi,
That’s not entirely the case. Changing the hostname only affects the host’s certificate pair, not the Icinga CA certificate and private key (unless you have purged it entirely).
The host’s certificates need to be regenerated, following the convention that FQDN = CN = endpoint. Once the certificate is signed by the same CA, all nodes will continue with their TLS handshake.
That also leads into another task with renaming the Endpoint object on all involved nodes - the master, satellites and clients if configured. A renamed Endpoint also needs to be referenced/updated in the Zone’s endpoints attribute. This is usually done inside the zones.conf file unless you have chosen a different file.
This is required after a successful TLS handshake in order to apply restrictions and permissions. If e.g. the satellite sees a host connecting where no Endpoint and Zone membership is configured, it will close the connection with ‘endpoint not allowed’. This can be seen in the troubleshooting docs for example.
Cheers,
Michael
I have generated new certificates and renamed the endpoint on zones.conf, though still i cant seem to start icinga2 and once again when i run icinga2 object list --type Endpoint i see the old name of my endpoint and not the newely created one.
icinga2 object list uses a cache file from successful config validation, so if that failed before, it is not accurate. Please add the full output of that validation including the current content of zones.conf.
Cheers,
Michael