Fix certificate not signed by our CA

mattb · April 8, 2019, 7:30pm

Going through a distributed setup and somewhere along the way I’m getting the error below after I renamed the master and satellite zone names (I didn’t like them defaulting to the nodes fqdn)

What’s the easiers way to resign the satellites cert on a master nodes?

[2019-04-08 20:25:23 +0100] information/ApiListener: New client connection for identity
‘myhost.mylocaldomain’ to [172.24.33.10]:5665 (certificate )
[2019-04-08 20:25:23 +0100] information/ApiListener: Finished reconnecting to endpoint ‘myhost.mylocaldomain’ via host ‘myhost.mylocaldomain’
[2019-04-08 20:25:23 +0100] information/JsonRpcConnection: Received certificate request for CN ‘myhost.mylocaldomain’ not signed by our CA.
[2019-04-08 20:25:23 +0100] warning/JsonRpcConnection: Ticket ‘8b6b82b0284c02e18a8115663e1474788da41529’ for CN ‘myhost.mylocaldomain’ is invalid.

dnsmichi · April 9, 2019, 6:42am

Hi,

which commands/CLI tools where used to generate the requests? The ticket here for CSR auto-signing is invalid, it needs to be newly generated for the new CNs.

Cheers,
Michael

mattb · April 9, 2019, 8:31am

Hi Michael, as far as I understand it they were done automagically by node setup wizard.

When I run through the wizard I get the following output and zone file. It seems strange to me that the CN of the site-a CN gets added to the endpoint definition without a ‘host’ entry to match. Also I’m a bit lost on how to configure the master zone, as if I specify the following in the master config - the service won’t start.

/*
 * Generated by Icinga 2 node setup commands
 * on 2019-04-08 18:10:20 +0100
 */

object Endpoint "mymaster.mydomain.local" {
        host = "mymaster.mydomain.local"
        port = "5665"
}

object Zone "master" {
        endpoints = [ "mymaster.mydomain.local" ]
}

object Endpoint "site-a" {
        host = "siteahost.mydomain.local"
        port = "5665"
}

object Zone "site-a" {
        endpoints = [ "siteahost.mydomain.local" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

The satellite zone configuration.

/*
 * Generated by Icinga 2 node setup commands
 * on 2019-04-09 09:15:38 +0100
 */

object Endpoint "master" {
        host = "mymaster.mydomain.local"
        port = "5665"
}

object Zone "master" {
        endpoints = [ "master" ]
}

object Endpoint "site-a" {
}

object Zone "site-a" {
        endpoints = [ "site-a" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

Zone wizard coammands used on satellite

Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is a satellite/client setup ('n' installs a master setup) [Y/n]:

Starting the Client/Satellite setup routine...

Please specify the common name (CN) [wapmonslv001.productionservices.local]: site-a

Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): master

Do you want to establish a connection to the parent node from this node? [Y/n]: Y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): mymaster.mydomain.local
Master/Satellite endpoint port [5665]:

Add more master/satellite endpoints? [y/N]:
Parent certificate information:

 Subject:     CN = mymaster.mydomain.local
 Issuer:      CN = Icinga CA
 Valid From:  Apr  8 13:48:25 2019 GMT
 Valid Until: Apr  4 13:48:25 2034 GMT
 Fingerprint: BA 5A 5A CF 8D 2E 59 D9 5E 74 BF EE 32 69 3C C7 81 E6 9A 22

Is this information correct? [y/N]: y

Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'site-a'): 43eab49b5098a2b3ebe10bca2ea4bf78aaf1d786
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:

Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y

Reconfiguring Icinga...

Local zone name [site-a]:
Parent zone name [master]:

Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]:
critical/cli: chown() failed with error code 2, "No such file or directory"

Do you want to disable the inclusion of the conf.d directory [Y/n]:
Disabling the inclusion of the conf.d directory...

Done.

Now restart your Icinga 2 daemon to finish the installation!

dnsmichi · April 9, 2019, 8:38am

The node wizard asks you for a ticket, which you need to pre-generate on the master for this specific CN/FQDN. Since you’ve changed such, the ticket as unique secret also requires a change and needs to be regenerated plus inserted into the node wizard command again.

To me, it seems that you’ve just copy-pasted the old ticket for the old FQDN.

Cheers,
Michael

mattb · April 9, 2019, 9:00am

Hi Michael, thanks again - I didn’t copy/paste the ticket from the old ID, I ran the command (’’) again and copied the new ID.

I think I’ve resolved it - the below didn’t look right on the master

object Endpoint "site-a" {
    host = "siteahost.mydomain.local"
    port = "5665"
}

object Zone "site-a" {
        endpoints = [ "siteahost.mydomain.local" ]
        parent = "master"
}

I modified it to

object Endpoint "site-a" {
        host = "siteahost.mydomain.local"
        port = "5665"
}

object Zone "site-a" {
        endpoints = [ "site-a" ]
        parent = "master"
}

And now I’m able to start the service correclty but I don’t seem to be getting configuration pushed down.

[2019-04-09 09:50:12 +0100] information/FileLogger: 'main-log' started.
[2019-04-09 09:50:12 +0100] information/ApiListener: 'api' started.
[2019-04-09 09:50:12 +0100] information/ApiListener: Copying 1 zone configuration files for zone 'site-a' to '/var/lib/icinga2/api/zones/site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones/site-a' (0 Bytes). Received timestamp '2019-04-09 09:50:12 +010.
[2019-04-09 09:50:12 +0100] information/ApiListener: Copying 1 zone configuration files for zone 'global-templates' to '/var/lib/icinga2/api/zones/global-templates'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones/global-templates' (0 Bytes). Received timestamp '2019-04-09 09:5.
[2019-04-09 09:50:12 +0100] information/ApiListener: Started new listener on '[0.0.0.0]:5665'
[2019-04-09 09:50:12 +0100] information/NotificationComponent: 'notification' started.
[2019-04-09 09:50:12 +0100] information/CheckerComponent: 'checker' started.
[2019-04-09 09:50:12 +0100] information/DbConnection: 'ido-mysql' started.
[2019-04-09 09:50:12 +0100] information/ConfigItem: Activated all objects.
[2019-04-09 09:50:12 +0100] information/cli: Closing console log.
[2019-04-09 09:50:12 +0100] information/DbConnection: Resuming IDO connection: ido-mysql
[2019-04-09 09:50:12 +0100] information/IdoMysqlConnection: 'ido-mysql' resumed.
[2019-04-09 09:50:12 +0100] information/ApiListener: Reconnecting to endpoint 'site-a' via host 'siteahost.mydomain.local' and port '5665'
[2019-04-09 09:50:12 +0100] information/IdoMysqlConnection: MySQL IDO instance id: 1 (schema version: '1.14.3')
[2019-04-09 09:50:12 +0100] information/IdoMysqlConnection: Finished reconnecting to MySQL IDO database in 0.0390959 second(s).
[2019-04-09 09:50:12 +0100] information/ApiListener: New client connection for identity 'site-a' to [172.18.244.10]:5665
[2019-04-09 09:50:12 +0100] information/ApiListener: Finished reconnecting to endpoint 'site-a' via host 'siteahost.mydomain.local' and port '5665'
[2019-04-09 09:50:12 +0100] information/ApiListener: Sending config updates for endpoint 'site-a' in zone 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Syncing configuration files for zone 'site-a' to endpoint 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Syncing configuration files for global zone 'global-templates' to endpoint 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Finished sending config file updates for endpoint 'site-a' in zone 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Syncing runtime objects to endpoint 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Finished syncing runtime objects to endpoint 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Finished sending runtime config updates for endpoint 'site-a' in zone 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Sending replay log for endpoint 'site-a' in zone 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Finished sending replay log for endpoint 'site-a' in zone 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: Finished syncing endpoint 'site-a' in zone 'site-a'.
[2019-04-09 09:50:12 +0100] information/ApiListener: New client connection for identity 'site-a' from [192.168.2.1]:44056
[2019-04-09 09:50:12 +0100] warning/ApiListener: No data received on new API connection for identity 'site-a'. Ensure that the remote endpoints are properly configured in a cluster setup.
Context:
        (0) Handling new API client connection

[2019-04-09 09:50:21 +0100] information/WorkQueue: #6 (ApiListener, SyncQueue) items: 0, rate: 0.0166667/s (1/min 1/5min 1/15min);
[2019-04-09 09:50:21 +0100] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 0, rate: 0.366667/s (22/min 22/5min 22/15min);
[2019-04-09 09:50:21 +0100] information/WorkQueue: #5 (ApiListener, RelayQueue) items: 0, rate: 0.266667/s (16/min 16/5min 16/15min);
[2019-04-09 09:50:22 +0100] information/WorkQueue: #10 (JsonRpcConnection, #0) items: 0, rate:  0/s (0/min 0/5min 0/15min);
[2019-04-09 09:50:22 +0100] information/WorkQueue: #13 (JsonRpcConnection, #3) items: 0, rate:  0/s (0/min 0/5min 0/15min);
[2019-04-09 09:50:22 +0100] information/WorkQueue: #11 (JsonRpcConnection, #1) items: 0, rate:  0/s (0/min 0/5min 0/15min);
[2019-04-09 09:50:22 +0100] information/WorkQueue: #12 (JsonRpcConnection, #2) items: 0, rate:  0/s (0/min 0/5min 0/15min);
[2019-04-09 09:50:22 +0100] information/ApiListener: New client connection for identity 'site-a' from [172.18.244.10]:44058
[2019-04-09 09:50:22 +0100] warning/ApiListener: No data received on new API connection for identity 'site-a'. Ensure that the remote endpoints are properly configured in a cluster setup.
Context:
        (0) Handling new API client connection

dnsmichi · April 9, 2019, 9:55am

How does the client’s zones.conf look like? Does it accept configuration (setting in api.conf)?

mattb · April 9, 2019, 10:40am

From the “site-a” system:

/**
 * The API listener is used for distributed monitoring setups.
 */
object ApiListener "api" {
  accept_config = true
  accept_commands = true
}

I was really looking for a procedure to recreate the certificate chain ca/certificates for the master and satellite hosts as I think they got out of whack somehow. ‘node wizard’ doesn’t seem to correctly generate zone.conf files and requires editing to add 'host = ’ entries on the endpoint as above.

I eventually did the folloiwng

stop the icinga2 service on master and satellite
remove the ca from the master (at /var/lib/icinga2/ca)
ran ‘api setup’ on the master
remove all previous certs for the master (at /var/lib/icinga2/certs)
on the satellite, removed previous certs (at /var/lib/icinga2/certs))
ran the ‘node wizard’ on the master
ran the ‘node wizard’ on the slave and when prompted, gernated the ticket.
on the master ran ‘ca sign’

AFter doing this I now get the service to start on both nodes but I do see an error:
[2019-04-09 11:37:28 +0100] information/ApiListener: New client connection for identity ‘site-a’ to [192.168.2.1]:5665 (certificate validation failed: code 7: certificate signature failu)
[2019-04-09 11:37:28 +0100] information/ApiListener: Finished reconnecting to endpoint ‘site-a’ via host ‘siteahost.mydomain.local’ and port ‘5665’

It’s then immideately followed by a message saying a certificate is valid.
[2019-04-09 11:37:28 +0100] information/JsonRpcConnection: Received certificate request for CN ‘site-a’ signed by our CA.
[2019-04-09 11:37:28 +0100] information/JsonRpcConnection: The certificate for CN ‘site-a’ is valid and uptodate. Skipping automated renewal.

I sitll don’t get zone files making it to the satellite server though.

mattb · April 9, 2019, 11:04am

Sorry I realised you requested the satellite zones.conf file - here it is

/*
 * Generated by Icinga 2 node setup commands
 * on 2019-04-09 10:58:02 +0100
 */

object Endpoint "master" {
        host = "mymaster.mydomain.local"
        port = "5665"
}

object Zone "master" {
        endpoints = [ "master" ]
}

object Endpoint "site-a" {
}

object Zone "site-a" {
        endpoints = [ "site-a" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}