I’m working on extending the ansible role for icinga2 and stumbled upon this conundrum while trying to sign the certificates for one of the clients. I then repeated the steps manually but I can’t figure out what is wrong. Here’s my output where
alixis the master and
screeny is the client:
root@alix:/etc/icinga2# icinga2 pki ticket --cn screeny 42153cad9357e61f8f30c53ad0d66eb4b2b9041c root@screeny:~# icinga2 node setup --ticket 42153cad9357e61f8f30c53ad0d66eb4b2b9041c --endpoint alix,10.24.0.165,5665 --zone alix --master_host alix --trustedcert /var/lib/icinga2/certs/ca.crt --accept-commands --accept-config information/cli: Verifying ticket '42153cad9357e61f8f30c53ad0d66eb4b2b9041c'. information/cli: Verifying master host connection information: host 'alix', port '5665'. information/cli: Verifying trusted certificate file '/var/lib/icinga2/certs/ca.crt'. information/cli: Using the following CN (defaults to FQDN): 'screeny'. information/cli: Created backup file '/etc/icinga2/pki/screeny.key.orig'. information/cli: Created backup file '/etc/icinga2/pki/screeny.crt.orig'. information/base: Writing private key to '/etc/icinga2/pki/screeny.key'. information/base: Writing X509 certificate to '/etc/icinga2/pki/screeny.crt'. information/cli: Requesting a signed certificate from the master. critical/cli: Invalid ticket for CN 'screeny'. critical/cli: Failed to request certificate from Icinga 2 master.
debuglog on master:
[2019-03-08 07:44:01 +0100] information/ApiListener: New client connection for identity 'screeny' from [10.24.0.42]:50656 (certificate validation failed: code 18: self signed certificate) [2019-03-08 07:44:01 +0100] notice/ApiListener: New JSON-RPC client [2019-03-08 07:44:01 +0100] notice/WorkQueue: Spawning WorkQueue threads for 'JsonRpcConnection, #0' [2019-03-08 07:44:01 +0100] notice/JsonRpcConnection: Received 'pki::RequestCertificate' message from 'screeny' [2019-03-08 07:44:01 +0100] information/JsonRpcConnection: Received certificate request for CN 'screeny' not signed by our CA. [2019-03-08 07:44:01 +0100] notice/ThreadPool: Thread pool; current: 2; adjustment: -1 [2019-03-08 07:44:01 +0100] debug/ThreadPool: Killing worker thread. [2019-03-08 07:44:01 +0100] notice/ThreadPool: Pool #2: Pending tasks: 0; Average latency: 0ms; Threads: 5; Pool utilization: 0.819473% [2019-03-08 07:44:01 +0100] warning/JsonRpcConnection: Ticket '42153cad9357e61f8f30c53ad0d66eb4b2b9041c' for CN 'screeny' is invalid.
Any ideas on how to debug and possibly fix this? Or is this obvious and just due to sleep deprivation on my part?