ERROR importing ca certificate - x509 module

picoroma · June 20, 2024, 8:33am

I’m trying toconfigure x509 module on my ICINGA2 installation.
I followed the steps here:
Installing Icinga Certificate Monitoring - Icinga Certificate Monitoring

After the installation of package on UBUNTU, I correctly create the DM on MySQL.
This is my Scenario:

When I try to execute the configuration step:

icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt

I have this error:

ERROR: Icinga\Exception\ConfigurationError in /usr/share/php/Icinga/Data/ResourceFactory.php:49 with message: Cannot load resource config “x509”. Resource does not exist.

Now My ICINGA Installation give me error even from WEB UI:
From UI of module configuration I cannot see the “x509” DB:

Any Idea ?
THX

rivad · June 20, 2024, 8:40am

Did you setup the x509 DB in Icingaweb2 as a resource?

picoroma · June 20, 2024, 1:43pm

You are right!
The documentation is missing this part.
After I have added the DB, the import was fine.

Now I have another error trying the check command.
If I run this command (as user root):

icingacli x509 check host --ip 18.66.196.27

I receive the error :
UNKNOWN - Host not found

Even Is I use both ip and host.

The same command running as “iconga” user give me:

ERROR: Cannot read enabled modules. Config directory “/etc/icingaweb2” is not readable

rivad · June 20, 2024, 1:48pm

If I understand the module correctly, you can only check after a scan put the chain into the DB.

Under which user does the icinga-x509.service run?

The documentation is missing this part.

Maybe you could send in a patch?

picoroma · June 20, 2024, 2:16pm

The service is running under “root” user.

Is not clear to me the role of scanning process.

Following this example:

Which kond of JOB I have to schedule ?

rivad · June 20, 2024, 2:24pm

Well the jobs trigger the scans of your network for certificates, the validate step figures out if the chain is valid or not and the check will tell you if the chain on host,ip,port is valid.

picoroma · June 21, 2024, 8:11am

There is an error into the x509 module help

The help (and most examples online) reports that the command to run a certificate check is these:

icingacli x509 check host --ip 10.0.10.78
icingacli x509 check host --host mail.example.org
icingacli x509 check host --ip 10.0.10.78 --host mail.example.org --port 993

But, in my case this way do not work.
I have to use --hosts instead of --host

rivad · June 21, 2024, 9:10am

I guess it just ignores --hosts and you have an other error that keeps --host from working. My bet is on missing SNI entry in the module config.
What’s the host in the chain if you search for the IP in /icingaweb2/x509/usage?

picoroma · June 21, 2024, 10:40am

What is thiS?
(sorry for my question … but I’m starting right now to use this module)

rivad · June 21, 2024, 12:35pm

SNI allows you to add host names to IP+port and multiple host names to the same IP+port.

This is needed because the webserver can serve different certificates if the browser requests a different website with a different domain or none at all (direct connection to IP+port).

https://icinga.com/docs/icinga-certificate-monitoring/latest/doc/03-Configuration/#server-name-indication