Critical/cli: Invalid ticket for CN

I’m working on extending the ansible role for icinga2 and stumbled upon this conundrum while trying to sign the certificates for one of the clients. I then repeated the steps manually but I can’t figure out what is wrong. Here’s my output where alixis the master and screeny is the client:

root@alix:/etc/icinga2# icinga2 pki ticket --cn screeny
42153cad9357e61f8f30c53ad0d66eb4b2b9041c

root@screeny:~# icinga2 node setup --ticket 42153cad9357e61f8f30c53ad0d66eb4b2b9041c --endpoint alix,10.24.0.165,5665 --zone alix --master_host alix --trustedcert /var/lib/icinga2/certs/ca.crt --accept-commands --accept-config
information/cli: Verifying ticket '42153cad9357e61f8f30c53ad0d66eb4b2b9041c'.
information/cli: Verifying master host connection information: host 'alix', port '5665'.
information/cli: Verifying trusted certificate file '/var/lib/icinga2/certs/ca.crt'.
information/cli: Using the following CN (defaults to FQDN): 'screeny'.
information/cli: Created backup file '/etc/icinga2/pki/screeny.key.orig'.
information/cli: Created backup file '/etc/icinga2/pki/screeny.crt.orig'.
information/base: Writing private key to '/etc/icinga2/pki/screeny.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/screeny.crt'.
information/cli: Requesting a signed certificate from the master.
critical/cli: Invalid ticket for CN 'screeny'.
critical/cli: Failed to request certificate from Icinga 2 master.

debuglog on master:

[2019-03-08 07:44:01 +0100] information/ApiListener: New client connection for identity 'screeny' from [10.24.0.42]:50656 (certificate validation failed: code 18: self signed certificate)
[2019-03-08 07:44:01 +0100] notice/ApiListener: New JSON-RPC client
[2019-03-08 07:44:01 +0100] notice/WorkQueue: Spawning WorkQueue threads for 'JsonRpcConnection, #0'
[2019-03-08 07:44:01 +0100] notice/JsonRpcConnection: Received 'pki::RequestCertificate' message from 'screeny'
[2019-03-08 07:44:01 +0100] information/JsonRpcConnection: Received certificate request for CN 'screeny' not signed by our CA.
[2019-03-08 07:44:01 +0100] notice/ThreadPool: Thread pool; current: 2; adjustment: -1
[2019-03-08 07:44:01 +0100] debug/ThreadPool: Killing worker thread.
[2019-03-08 07:44:01 +0100] notice/ThreadPool: Pool #2: Pending tasks: 0; Average latency: 0ms; Threads: 5; Pool utilization: 0.819473%
[2019-03-08 07:44:01 +0100] warning/JsonRpcConnection: Ticket '42153cad9357e61f8f30c53ad0d66eb4b2b9041c' for CN 'screeny' is invalid.

Any ideas on how to debug and possibly fix this? Or is this obvious and just due to sleep deprivation on my part?

Hum… could this be due to incompatible versions? I’m using raspberry pies for testing and I just discovered that the package version is 2.6 from /raspbian.raspberrypi.org

Yup, that seems to be the reason. I just tried with another amd64 node where I am able to install 2.10 and this one works flawlessly.

Thanks for being my rubber duck :stuck_out_tongue: