Error on bio X509 AUX reading pem file

Hello we are running icinga vesion r2.6.0-1. We will update eventually but for now this is what we are using. The icinga infrastructure is already set up and we have a master node and a bunch of satellite/agent nodes. I a trying to add a new satellite to our infrastructure but it looks like the .crt file is corrupted. I was able to get through the node wizard but when i restart the icinga service i get errors as follow:
Error on bio X509 AUX reading pem file '/etc/pki/“hostname”.crt
Error: Cannot get certificate from cert path: '/etc/pki/“hostname”.crt

I ran the command ‘openssl x509 -in /etc/icinga2/pki/“hostname”.crt -noout -text |grep -i ‘issuer|subject’’ and it returned ‘unable to load certificate’. So i know what my issue is and i know i have to go to the master to generate a new crt file. I believe the command would be icinga2 pki new-cert. My question is would this effect our previously set up icinga infrastructure. This is my first time really working with icinga and i don’t want to run a command on the master and it messes up our already set up icinga. Also what exactly would be the syntax of the command i run on the master and how do i copy it over to the satellite. Thank you in advance for any help you can provide.

Hello @hza2331!

No, this should not affect the whole setup.


Hello ,
Thank you for you response. So the syntax on the master would be : pki new-cert --cn “mynodename”
After i do this one the master what command do i run on client to get this new crt file?

If your certificate is for another machine than for the one you’ve generated it on, you have to copy it (and the key) manually – e.g. with scp.

Ok i understand. Just one last question if you don’t mind. When running the icinga2 pki new-cert --cn "nodename’ . For nodename do i put my masters node name or the node name for the machine we are generating the certificate for. I know when choosing the --key and --cert we will use the nodename of the machine we are generating the new cert for.

The node name for the machine we are generating the certificate for.

So i ran the first command and was able to successfully create the key file but when running the second command ‘icinga2 pki sign-csr --csr nodename.csr --cert nodename.crt’ it gave an error ‘SSL: Could not open CA key file ‘/var/lib/icinga2/ca/ca.key’: 33558530, "error:02001002:system library:fopen:No such file or directory’.
The /var/lib/icinga2/ca directory does exist but it only contains a ca.crt file. Do i have to create this ca.key file? Which command would i run to do so?

On which node are you running the command?

I ran them on a Virtual machine i have for testing purposes just as a test run and it gave an error that there is not ca.key in the /var/lib/icinga2/ca directory. I checked the master nodes directory and there is no .key file in that directory as well so i assumed i would get this error when i run it on the master. Or will i not get this issue when i run the commands on the master? The master doesnt have any .key file in /etc/icinga2/pki or var/lib/icinga2/ca.

Yes, I think so. Do you have >1 master?

No just 1 master as far as i know. The setup was done before my time. Anyway to check the overall infrastructure set up?

I ended up running the commands on the master and got the same error. Its looking for a ca.key that for some reason isn’t anywhere on my master node. My client node does have a ca.key though. These are creating during icinga2 node wizard i assume? So is the only way to generate this file using node wizard on the master? I feel like this might affect the already set up icinga infrastructure

Does the ca.key match the ca.crt on the master?

No they do not match. I believe the ca.key has been lost. We will have to generate a new CA and resign each certificates for the nodes. Thank you for all your help.