Failed to fetch signed certificate from parent Icinga node

Hello,

I have a strange behavior when I try to reconfigure agent to talk with a satellite instead of actual master.
Randomly, when I run the icinga node setup command I got this message :

information/cli: Requesting certificate without a ticket.
information/cli: Verifying parent host connection information: host ‘satellite_fqdn’, port ‘5665’.
information/cli: Using the following CN (defaults to FQDN): ‘agent_fqdn’.
information/cli: Backup file ‘/var/lib/icinga2/certs//agent_fqdn.key.orig’ already exists. Skipping backup.
information/cli: Backup file ‘/var/lib/icinga2/certs//agent_fqdn.crt.orig’ already exists. Skipping backup.
information/base: Writing private key to ‘/var/lib/icinga2/certs//agent_fqdn.key’.
information/base: Writing X509 certificate to ‘/var/lib/icinga2/certs//agent_fqdn.crt’.
information/cli: Verifying trusted certificate file ‘/var/lib/icinga2/certs/master.crt’.
information/cli: Requesting a signed certificate from the parent Icinga node.
critical/cli: Peer certificate does not match trusted certificate.
critical/cli: Failed to fetch signed certificate from parent Icinga node ‘satellite_fqdn, 5665’.
Please try again.

At this moment there is no network problem, if I listen on satellite network interface I can see the tcp paquet on port 5665 incoming.
If I re launch the command, sometimes it pass, sometimes I have the same error…

An other randomly issue, when the node setup is OK, sometimes I don’t have the signing request on master/satellite … And some other time I have it …

Have you an idea why those behavior happen ?

Thanks for advance

No one experiment the same behavior ? :roll_eyes:

I autoreply myself.
After some research I was able to see an error on the master debug log :

Error while reading JSON-RPC message for identity

This cas explain why sometime it’s work, and some other time it’s dont.

So my next question is : do you know which port range is used by icinga for rpc call ?

Thanks

I listen my network between agent and satellite and I don’t see anything other than tcp5665… Not sure it’s a network problem.
One other strange thing, when I make api call on master to get ticket sometimes it’s work, and some other not with a “Unautorized” error… I use everytime the same credentials of course…
I someone has an idea … ?