Client Certification issues

yungd · August 23, 2019, 10:49pm

When running the command (see below) from the client, I noticed that the master-ca.crt is different than the one that is on the master host. Is this expected behavior?

icinga2 pki save-cert --key client.key --cert client.crt --trustedcert master-ca.crt --host master.host

The reason I ask is because when running the icinga2 node wizard on a few Ubuntu 18.04 servers, I get the following message:

[2019-08-21 17:38:09 +0000] information/ApiListener: No data received on new API connection. Ensure that the remote endpoints are properly configured in a cluster setup.
[2019-08-21 17:38:12 +0000] warning/ApiListener: No data received on new API connection for identity 'client.host'. Ensure that the remote endpoints are properly configured in a cluster setup.
Context:
        (0) Handling new API client connection

Below are posts that are related to my issue and I’ve tried to follow all of the suggestions, but no success.

Al2Klimov · August 26, 2019, 3:59pm

Hello @yungd!

AFAIK --trustedcert specifies the node certificate, not the CA one.

Best,
AK

dnsmichi · August 27, 2019, 8:47am

Correct. This is the one fetched with save-cert from the parent node. It proofs that you trust the parent. The reason for adding this step is to forbid “fire and forget” and make you think about it. The node wizard and likewise, the Windows agent wizard, ask you in an interactive way if you really trust the parent node. That’s the same as with passing --trustedcert.

Cheers,
Michael