I think the/my whole misunderstanding is caused by the sentence above missing “after running icinga2 node setup without using the --parent_host argument”.
Using icinga2 node setup I have this working now. The following post was particularly useful: Node setup possible without connection from agent to master - Icinga 2 - Icinga Community
The Technical Concepts - Icinga 2 documentation should read:
Running
icinga2 node setupwithout using the--parent_hostargument will leave the node in a semi-configured state. I.e., you will need to manually copy the master’s public CA key into/var/lib/icinga2/certs/ca.crton the client before starting Icinga 2. After which the TLS communication can be established.To complete the certificate signing, the
icinga2 ca listandicinga2 ca signcommands must be used on the Icinga CA server to complete the certificate signing process if no ticket was provided using the--ticketargument.
Could an insider take care of updating the documentation?
Plus, if someone can explain to me what is the equivalent icinga2 pki command generated by the icinga node setup command when run without --parent_host, I would be very grateful as it will help me better/fully understand the topic.
Thank you,
Jean
NB: Another, related, documentation topic needs an update: https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#node-setup: the --ticket parameter is not Required, it is Optional