CURL ERROR: Failed to connect to Permission denied (RestApiClient.php:143)

Hello Guru’s,

I’m can’t proceed with my directory kickstart.
I don’t know what is blocking it, port 5665 is enabled.
username and password is the one in the api-users.conf

[root@uphicinga11 ~]# ss -tnlp | grep 5665
LISTEN 0 128 [::]:5665 [::]:* users:((“icinga2”,pid=4300,fd=18))

[root@uphicinga11 ~]# firewall-cmd --zone=work --list-all
target: default
icmp-block-inversion: no
services: dhcpv6-client ssh
ports: 5665/tcp 80/tcp
masquerade: no
rich rules:

Your assistance is very much appreciated.

Hello @molave26

did you install the director on the same machine as icinga2? Is SELinux enabled?

Hello ritzgu,

Thanks for your reply.
Yes I installed it on the same machine
Also Selinux is enabled, see below:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

This is the result and I’m stuck here

  1. Do you see a connection try in icinga2.log?
  2. Did you check to connect via openssl s_client -connect localhost:5665?
  3. You may need to troubleshoot SELinux

Hi Mr. Roland,
Thanks for the reply

  1. [2022-03-01 09:45:04 +0800] information/ApiListener: New client connection for identity 'vmhostph. from [::ffff:10.x.x.x]:57572 (certificate validation failed: code 18: self signed certificate)
    [2022-03-01 09:45:04 +0800] warning/ApiListener: No data received on new API connection from [::ffff:10.x.x.x]:57572 for identity 'vmhostph. Ensure that the remote endpoints are properly configured in a cluster setup.

  2. [root@uphicinga11 icinga2]# openssl s_client -connect localhost:5665
    depth=1 CN = Icinga CA
    verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:/CN=uphicinga11
i:/CN=Icinga CA
1 s:/CN=Icinga CA
i:/CN=Icinga CA

I will check the SELINUX, if I could find something

You can connect, means no error with SELinux.

This error indicates you have an error in your zone configuration as described e.g. here.