Icinga API authentication with certificate

Hello again,

I am trying to do a simple curl using the client’s certificate as authentication but it fails.
I am following the documented method.

curl --cacert /var/lib/icinga2/certs/ca.crt --cert <path to client crt> --key <path to client key> 'https://winmonit-dev3:5665/v1'

Using the basic authentication(username and pass) it works as expected
but with the certificates I get a 401 Unauthorized message.

I would appreciate any help on this! :slightly_smiling_face:

I would look into the ApiUser and if the attribute client_cn really matches the cn in the subject of the certificate shown with openssl x509 -noout -text -in CERT.

1 Like

Thanks Dirk,

That was the problem indeed, but if I want to authenticate for every client using the certificates should
I have a new ApiUser for each one of them?

If you want to reuse the agent’s certificate, an ApiUser for each System would be needed.

But I would recommend one ApiUser for one functionality and then distributing the certificate, for example in one environment we have a downtime user with permissions restricted just for this use case. While Icinga 2 has no revocation list and so you can not revoke the certificate, by removing or changing the ApiUser you can remove the permissions quite easily.

I need the api user for downtimes so that was a perfect example,
Thanks again for the tips!