Hello we are running icinga vesion r2.6.0-1. We will update eventually but for now this is what we are using. The icinga infrastructure is already set up and we have a master node and a bunch of satellite/agent nodes. I a trying to add a new satellite to our infrastructure but it looks like the .crt file is corrupted. I was able to get through the node wizard but when i restart the icinga service i get errors as follow:
Error on bio X509 AUX reading pem file '/etc/pki/“hostname”.crt
Error: Cannot get certificate from cert path: '/etc/pki/“hostname”.crt
I ran the command ‘openssl x509 -in /etc/icinga2/pki/“hostname”.crt -noout -text |grep -i ‘issuer|subject’’ and it returned ‘unable to load certificate’. So i know what my issue is and i know i have to go to the master to generate a new crt file. I believe the command would be icinga2 pki new-cert. My question is would this effect our previously set up icinga infrastructure. This is my first time really working with icinga and i don’t want to run a command on the master and it messes up our already set up icinga. Also what exactly would be the syntax of the command i run on the master and how do i copy it over to the satellite. Thank you in advance for any help you can provide.
Hello ,
Thank you for you response. So the syntax on the master would be : pki new-cert --cn “mynodename”
After i do this one the master what command do i run on client to get this new crt file?
Ok i understand. Just one last question if you don’t mind. When running the icinga2 pki new-cert --cn "nodename’ . For nodename do i put my masters node name or the node name for the machine we are generating the certificate for. I know when choosing the --key and --cert we will use the nodename of the machine we are generating the new cert for.
So i ran the first command and was able to successfully create the key file but when running the second command ‘icinga2 pki sign-csr --csr nodename.csr --cert nodename.crt’ it gave an error ‘SSL: Could not open CA key file ‘/var/lib/icinga2/ca/ca.key’: 33558530, "error:02001002:system library:fopen:No such file or directory’.
The /var/lib/icinga2/ca directory does exist but it only contains a ca.crt file. Do i have to create this ca.key file? Which command would i run to do so?
I ran them on a Virtual machine i have for testing purposes just as a test run and it gave an error that there is not ca.key in the /var/lib/icinga2/ca directory. I checked the master nodes directory and there is no .key file in that directory as well so i assumed i would get this error when i run it on the master. Or will i not get this issue when i run the commands on the master? The master doesnt have any .key file in /etc/icinga2/pki or var/lib/icinga2/ca.
I ended up running the commands on the master and got the same error. Its looking for a ca.key that for some reason isn’t anywhere on my master node. My client node does have a ca.key though. These are creating during icinga2 node wizard i assume? So is the only way to generate this file using node wizard on the master? I feel like this might affect the already set up icinga infrastructure
No they do not match. I believe the ca.key has been lost. We will have to generate a new CA and resign each certificates for the nodes. Thank you for all your help.