Connect old agent - TLS conflict

I already connected several clients/agents per agent script out of icinga director. Now I face the problem to integrate a NanoPI Neo. Ubuntu 16.07.04 Xenial that cannot (easily) be upgraded. Icinga is of version 2.4.1-1.

The agent setup script fails and I think I tracked it down to a TLS version mismatch.
The master says:
[2022-01-25 16:40:48 +0100] critical/ApiListener: Client TLS handshake failed (from []:50852): unsupported protocol

TLS in general appears to be working:
openssl s_client -connect principal:5665
seems ok.

I also found he parameter tls_protocolmin. But as i understand I can only set it to “1.2” which also is the default?
For my setup TLS/SSL is not really necessary as it is a home setup.
Any ideas how I can get the agent or running or is it more smart to do by_ssh checks?


I’m sure you know that your icinga version is quite old! As follow up of this maybe a problem is the cipher, which is harden since version 2.11 - Upgrading Icinga 2 - Icinga 2.

Look also here Api - Icinga 2 and here Object Types - Icinga 2

Yes, I know it is quite old.
The installation guide recommends using apt and repositories.
Unforntunately, the hardware is ARM based. The latest version I get through the repository the installed one.
Looking into the repository tree of xenial there is no armhf architecture or similar.
When I g**gle “install icinga2 from source” I do not get helpful results. All guides appear to you repositories.

I see two options:

  • I find a way to install from source
  • I find a way to turn of SSL.

I solve it now by using CHECK_BY_SSH . Thank you for your effort.