ERROR importing ca certificate - x509 module

I’m trying toconfigure x509 module on my ICINGA2 installation.
I followed the steps here:
Installing Icinga Certificate Monitoring - Icinga Certificate Monitoring

After the installation of package on UBUNTU, I correctly create the DM on MySQL.
This is my Scenario:

When I try to execute the configuration step:

icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt

I have this error:

ERROR: Icinga\Exception\ConfigurationError in /usr/share/php/Icinga/Data/ResourceFactory.php:49 with message: Cannot load resource config “x509”. Resource does not exist.

Now My ICINGA Installation give me error even from WEB UI:
From UI of module configuration I cannot see the “x509” DB:

Any Idea ?

Did you setup the x509 DB in Icingaweb2 as a resource?

You are right!
The documentation is missing this part.
After I have added the DB, the import was fine.

Now I have another error trying the check command.
If I run this command (as user root):

icingacli x509 check host --ip

I receive the error :
UNKNOWN - Host not found

Even Is I use both ip and host.

The same command running as “iconga” user give me:

ERROR: Cannot read enabled modules. Config directory “/etc/icingaweb2” is not readable

If I understand the module correctly, you can only check after a scan put the chain into the DB.

Under which user does the icinga-x509.service run?

The documentation is missing this part.

Maybe you could send in a patch?

The service is running under “root” user.

Is not clear to me the role of scanning process.

Following this example:

Which kond of JOB I have to schedule ?

Well the jobs trigger the scans of your network for certificates, the validate step figures out if the chain is valid or not and the check will tell you if the chain on host,ip,port is valid.

There is an error into the x509 module help

The help (and most examples online) reports that the command to run a certificate check is these:

icingacli x509 check host --ip
icingacli x509 check host --host
icingacli x509 check host --ip --host --port 993

But, in my case this way do not work.
I have to use --hosts instead of --host

I guess it just ignores --hosts and you have an other error that keeps --host from working. My bet is on missing SNI entry in the module config.
What’s the host in the chain if you search for the IP in /icingaweb2/x509/usage?

What is thiS?
(sorry for my question … but I’m starting right now to use this module)

SNI allows you to add host names to IP+port and multiple host names to the same IP+port.

This is needed because the webserver can serve different certificates if the browser requests a different website with a different domain or none at all (direct connection to IP+port).