Icinga Agent Issue

golaat · March 2, 2025, 2:37am

I was able to successfult install an agent on a windows host. However, when I attempt to run a check command (disk-windows) using the agent, I get the following output:

Remote Icinga instance 'yoda.unknownrealm.org' is not connected to 'tatooine.unknownrealm.org'

My host config looks like this:

In the eventlog on the the client (yoda) I see may, many Icinga2 errors as follows:

warning/ApiListener: Removing API client for endpoint 'tatooine.unknownrealm.org'. 0 API clients left.
warning/JsonRpcConnection: API client disconnected for identity 'tatooine.unknownrealm.org'
warning/ApiListener: Removing API client for endpoint 'tatooine.unknownrealm.org'. 0 API clients left.
warning/JsonRpcConnection: API client disconnected for identity 'tatooine.unknownrealm.org'

on the Icinga2 host I see the following in the log file:

[2025-03-01 21:36:26 -0500] warning/JsonRpcConnection: API client disconnected for identity 'yoda.unknownrealm.org'
[2025-03-01 21:36:26 -0500] warning/ApiListener: Certificate validation failed for endpoint 'yoda.unknownrealm.org': code 18: self signed certificate
[2025-03-01 21:36:26 -0500] information/ApiListener: New client connection for identity 'yoda.unknownrealm.org' to [192.168.0.2]:5665 (certificate validation failed: code 18: self signed certificate)
[2025-03-01 21:36:26 -0500] information/ApiListener: Finished reconnecting to endpoint 'yoda.unknownrealm.org' via host '192.168.0.2' and port '5665'
[2025-03-01 21:36:26 -0500] information/JsonRpcConnection: Received certificate request for CN 'yoda.unknownrealm.org' which couldn't be verified: self signed certificate (code 18)
[2025-03-01 21:36:26 -0500] information/JsonRpcConnection: Certificate request for CN 'yoda.unknownrealm.org' is pending. Waiting for approval.

how can i fix this?

moreamazingnick · March 2, 2025, 10:30am

you installation was not successful. Your Agent certificate is not signed by your icinga main node ca.

[2025-03-01 21:36:26 -0500] warning/ApiListener: Certificate validation failed for endpoint ‘yoda.unknownrealm.org’: code 18: self signed certificate

This happens if there is a problem with the ticket or if there is no ticket given at all.
A ticket can also be requested by the icinga director selfservice api.

If not all steps failed you might can sign the ca afterwards if it is in that list (bash command on main node):

icinga2 ca list

icinga2 ca sign

golaat · March 2, 2025, 4:45pm

Once I did the icinga2 sign <thumbprint> command it resolved my issue. When you go through the PowerShell installer script it never asks you for a ticket and it does not mention anywhere that you would need tȯ do this after installation is complete. The documentation around the Windows agent install process is a little lackluster. It’s pretty confusing for a newbie like me.

bberg · March 3, 2025, 4:09pm

Did you install the Windows Agent using the MSI File? Or did you use Icinga for Windows together with the Icinga Director Selfservice API?

golaat · March 10, 2025, 2:03am

Neither. i used th Powershell script as documented on the site.