CSR Auto sign in multi domain Setup

Dear swarm intelligence,

I am right now to setup a new Icinga2 environment for a customer that brings a new layer of compellability. In the past, I set up some environments with multi zones and satellites. So, I thought we could continue with this idea on the current project.

On this setup, we have the challenge that the zones have also different domain names. An example picture here:

So, we set up the master node with the “icinga2 node wizard”, setup DB, WEB, Director… the master zone works as expected, same zone same domain. Auto CSR works!

Now we tried to setup the satellite and configure also an agent behind.
Since we habe a satellite that have an interface inside each domain, we tried this setup:

satellite node setup

icinga2 node setup \
--zone am-icinga2-satellite.america.com \
--endpoint icinga2-master.emea.com \
--ticket 374c5093dbcee2c593411a2319e85c5ac4059f85 \
 --cn am-icinga2-satellite.america.com \
 --parent_host icinga2-master.emea.com \
 --parent_zone master \
 --trusted /var/lib/icinga2/certs/trusted-parent.crt \
 --accept-config --accept-commands --listen ",5665"

satellite zones.conf

object Endpoint "icinga2-master.emea.com" {

object Zone "master" {
        endpoints = [ "icinga2-master.emea.com" ]

object Endpoint "am-icinga2-satellite.emea.com" {

object Zone "am-icinga2-satellite.america.com" {
        endpoints = [ "am-icinga2-satellite.emea.com" ]
        parent = "master"

object Zone "global-templates" {
        global = true

object Zone "director-global" {
        global = true

We put the same ticketsalt and api users from the master to the satellite.

Next Step: try to setup an agent behind the satellite inside the america zone.
Ticket was able to be retrieved from satellite, but node setup did not end as expected.

icinga agent setup syslog in america domain/zone:

"icinga2" "node" "setup" \
"--zone" "syslog.america.com" \
"--endpoint" "am-icinga2-satellite.america.com" \
"--ticket" "c816642c3b48e7ab4c65c5a20dd38737c06be866" \
"--cn" "syslog.america.com" \
"--parent_host" "am-icinga2-satellite.america.com" \
"--parent_zone" "america" \
"--trusted" "/var/lib/icinga2/certs/trusted-parent.crt" \
"--accept-config" "--accept-commands" "--listen" ",5665"

In the output I can see this

Certificate request for CN 'syslog.america.com' is pending. Waiting for approval from the parent Icinga instance.",

On the satellite debug log it shows this:

information/JsonRpcConnection: Received certificate request for CN 'syslog.america.com' which couldn't be verified: self-signed certificate (code 18)
information/JsonRpcConnection: Certificate request for CN 'syslog.america.com' is pending. Waiting for approval.
warning/JsonRpcConnection: API client disconnected for identity 'syslog.america.com'
notice/ApiListener: Relaying 'pki::RequestCertificate' message
debug/JsonRpcConnection: Error while reading JSON-RPC message for identity 'syslog.america.com': Error: Operation canceled

 0# __cxa_throw in /usr/lib64/icinga2/sbin/icinga2
 1# 0x00000000005C8902 in /usr/lib64/icinga2/sbin/icinga2
 2# icinga::JsonRpcConnection::HandleIncomingMessages(boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >) in /usr/lib64/icinga2/sbin/icinga2
 3# 0x0000000000864EA0 in /usr/lib64/icinga2/sbin/icinga2
 4# 0x00000000008A1932 in /usr/lib64/icinga2/sbin/icinga2
 5# make_fcontext in /lib64/libboost_context.so.1.75.0

We are not sure if we run into a bug, an configuration problem or that the CA Proxy do not work generally in multi domain setup. Since I know there are some Icinga2 customers out there running global setups, I am wondering if they run an own PKI or found a solution for such an environment.

Any help is appreciated!

Github Issue: https://github.com/Icinga/icinga2/issues/10024

  • Version used (icinga2 --version): r2.14.2-1
  • Operating System and version: Rocky Linux release 9.3 (Blue Onyx)
  • Enabled features (icinga2 feature list): api checker command debuglog icingadb mainlog notification

This looks like a bug to me.

Thank you Dominik,

so you would say that such setup with an auto CSR should work?
I didn find any examples online that desciped such an environment.

Thanks in advance

ASAIK, the Icinga PKI doesn’t care about domains at all.
I never uses a satellite for node setup with a ticket but if you get a stacktrace, then it’s a bug or at least a unhanded error case.

Hi @pbirokas ,
there is a misconception here, Icinga2 does not really care about your domain names, DNS names and so on. Names of zones and endpoints MUST match everywhere, because the Icinga2 instances identify themselves with that exact string ( as @rivad already said).

On the agent it should be:

"--parent_host" "am-icinga2-satellite.emea.com" \
"--parent_zone" "am-icinga2-satellite.america.com" \

if I understand the setup correctly.

Thank you Lorenz,

since the agend behind the satellite, he cannot resolve into emea.com.

The Satellite have 2 interfaces, one known in the emea domain, the other in the america domain.
Every agent inside the america domain will only be able to see the satellite as am-icinga2-satellite.america.com.

Hi @pbirokas
the problem here is (sorry for the emphasis, this is a misunderstanding I do encounter quite often) THIS IS NOT A DNS NAME!
The endpoint argument in the node setup command (not the parent_host one, that was an error on my side in the previous post) refers to the name of the Icinga 2 node there (take a look at /etc/icinga2/constants.conf and search for NodeName).
This is NOT necessarily the hostname of the machine or a DNS name.