Could not add client with icinga2 pki request (in ansible)

Hello

I am quite newbie on icinga2 and I am trying to new clients to environment with ansible

While I am trying I got an error in ansible logs so I have copied and paste the command into client’s shell prompt and then reproduced the error

# icinga2 pki request --host monitor.domain.com --port 5665 --ticket ab6ce7fceac7b10ba824f7996d613723df5f5508 --key /etc/icinga2/pki/client.key --cert /etc/icinga2/pki/client.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --ca /etc/icinga2/pki/ca.key
critical/cli: Could not fetch valid response. Please check the master log.

When I check icinga2’s icinga log file, I could see following lines

[2019-07-09 15:34:26 +0300] information/ApiListener: New client connection for identity 'client' from [192.168.112.115]:52696 (certificate validation failed: code 18: self signed certificate)               
[2019-07-09 15:34:36 +0300] warning/ApiListener: No data received on new API connection for identity 'client'. Ensure that the remote endpoints are properly configured in a cluster setup.      

So I tried to add client with icinga2 node wizard from client, I got same errors (in above) again. The tool requests pki ticket, I run the command on master and then paste output into wizard but I got following errors and then it has requested ticket again

critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master 'IP, 5665'. Please try again.

master and client on same networks so there is no firewall between them. Client could connected to master’s 5665 but client could not start 5665/TCP yet. I run nc to listen 5665 on client, master also connested to the client’s 5665. There is no network connectivity problem between client and master

Could you help me to fix this error ?

Thanks and best regards
LastGraywolf

Hi,

that parameter looks odd, it shouldn’t have the private CA key but the public CA certificate.

--ca /etc/icinga2/pki/ca.key

If you really have copied the CA key pair from the master to the newly installed endpoint, please remove the file as well, this is a matter of security.

Also to note, /etc/icinga2/pki is deprecated, you should use /var/lib/icinga2/certs instead.

Cheers,
Michael

Hello Michael

Thanks for your quick response

It looks like version related bug issue. We are using same version with this bug monitor.portal.org link

Thanks

Which versions of Icinga are involved? Anyways, if you don’t send a valid public CA certificate with --ca /var/lib/icinga2/certs/ca.crt operations might fail just because of this. Fix this first and post your results here.

Cheers,
Michael

Hi,

can you please tell me how to send a valid public CA certificate with --ca /var/lib/icinga2/certs/ca.crt ?
i don’t know where to send it

thanks in advance