Get certificate from core behind firewall

Hello,
We have some locations that are behind the firewall where is difficult to open ports to each monitored host.
I have created a Zone in that location with an endpoint. Between the core and the endpoint icmp and 5665 are opened.
When I add a new host from that Zone it’s still trying to get the certificate from Core:

Fatal: Exception calling “generateCertificates” with “0” argument(s): "information/cli: Retrieving X.509 certificate for

  • ‘icingacore1v***:5665’.*
    critical/TcpSocket: Invalid socket: 10060, "A connection attempt failed because the connected party did not properly res
    pond after a period of time, or established connection failed because connected host has failed to respond."
    critical/pki: Cannot connect to host 'icingacore1v**’ on port ‘5665’*
    "ritical/cli: Failed to fetch certificate from host.
    ######## The script encountered several errors during run ########
    Fatal: Exception calling “generateCertificates” with “0” argument(s): "information/cli: Retrieving X.509 certificate for
  • ‘icingacore1v***:5665’.*
    critical/TcpSocket: Invalid socket: 10060, "A connection attempt failed because the connected party did not properly res
    pond after a period of time, or established connection failed because connected host has failed to respond."
    critical/pki: Cannot connect to host 'icingacore1v**’ on port ‘5665’*
    "ritical/cli: Failed to fetch certificate from host.

Is there any way to avoid this?

Thanks,
Adrian

Hi,

can you share the exact CLI command including the parameters? Also, which version of Icinga is involved on the satellite/agent?

You’ll need the connection-less approach with copying the ca.crt after the setup completes.

Cheers,
Michael

Hi Michael,

Sorry for my late reply!
I have a host template for Windows with Self Service API. Looks like this:

On the host I have copied a ps1 script that contains:

exit Icinga2AgentModule `
    -DirectorUrl       'https://icinga.****/icingaweb2/director/' `
    -DirectorAuthToken '***************************' `
    -DownloadUrl     '\\***com\***\***\icinga2\' `
    -InstallAgentVersion       '2.10.5' `
	-IgnoreSSLErrors `
    -RunInstaller

Even if I copy the ca.crt how will I get the hostname.crt/key?

Regards,
Adrian

Hi Adrian,

I’m afraid that Michael is not active in the forum anymore :slight_smile:
I hope someone else here can help you instead, it might be worth a shot posting all of the current info about your setup again, as I assume some things, like which versions you are using and such, have changed in the past half year :slight_smile:

Have a nice week,
Feu

Hi Feu,

I am using icinga 2.11.4-1 and have some hosts behind a firewall. I am planning to use host templates with self service API.
My host template looks like this:


When I execute the ps script I get:

In the powershell script I have at the end added this:

exit Icinga2AgentModule -DirectorUrl 'https://icinga.*******/icingaweb2/director/'
-DirectorAuthToken ‘-----------7bc’ -DownloadUrl '\\***\icinga2\'
-InstallAgentVersion ‘2.11.4’ -IgnoreSSLErrors
-RunInstaller

How can I bypass this? I don’t want to connect the host to the master. all communication should be done with the satellite.

Thanks,
Adrian

Check out CAProxy. BTW: This module is deprecated.