Hello, I’m currently setting up Icinga for the first time. I kind of feel like a fish out of water and have probably made things harder for myself but, currently, I am trying to use the Icinga 2 Agent for Windows to connect to my Icinga server. Version is 2.13.2-1. OS is Oracle Linux Server 8.7. Enabled features are as follows: api checker command graphite ido-mysql mainlog notification opsgenie syslog.
The environment is single server with a mix of Linux and Windows agents. We have a few nodes connected that are in our AWS environment. Currently I am trying to connect legacy devices (non-AWS servers) to Icinga. Now onto the problem… I’m attempting to run the agents wizard on a Windows server but am getting “An error occurred while setting up Icinga 2”. The standout points seem to be:
The ‘master_host’ parameter has been deprecated. Use ‘parent_host’ instead
Invalid ticket for CN
Failed to fetch signed certificate from parent Icinga node
Any assistance on how I should approach troubleshooting this would be helpful. Currently I do have a TicketSalt entry my constants.conf. My api.conf (within features-available) looks like this:
The TicketSalt in the constants.conf is ok. That should be how the icinga2 node wizard sets things up when it is being run on to configure your master.
How are you trying to install the Agent on the Windows host?
Are you using the graphical wizard or do your try to run a command from cli/powershell?
The graphical wizard will run the correct commands for you. A ticket isn’t necessary, but you then would have to sign the cert request on the master by hand.
The CN for the cert request/ticket must be the same as the name of the agent endpoint. Also the endpoint object and zone object of the agent have to have the same name.
Hi, thanks for responding! Currently I am using the GUI wizard installer on Windows. My intent is to, at some point, automate installation on the rest of the servers - hence why I’d prefer to have auto-signing rather than have to manually sign 100 certs.
If I follow the path in your command I see it shows the \lib\icinga2\certs.… .crt. The cert that I have in this location on my Windows agent is the same that I see on the Icinga server at var/lib/icinga2/certs… when I open and look at the key. I even made a .old of the certs folder and then ran the wizard again - It created a new certs folder and rewrote the same .crt (in my case named ca.crt). This what I’m seeing as an error at the end of the wizard:
information/cli: Requesting a signed certificate from the parent Icinga node.
information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'.
critical/cli: !!! Invalid ticket for CN
I guess I don’t know why it appears to be pulling the cert and then saying it’s an invalid ticket.
What did you put into the ticket field of the graphical wizard?
You will first need to create one with icinga2 pki ticket --cn <agent endpoint name> (should be the name of the cert file)
I guess what I might be missing is the idea of the ticket (TicketSalt) itself. Is there only one created or does there need to be a separate ticket for each connected agent?
#!/bin/bash
IFS="
"
log_file=/var/log/icinga2/auto_signing.log
for sign_request in $(/sbin/icinga2 ca list | egrep "^[a-z0-9]");do
cn=$(echo $sign_request | cut -d "|" -f4)
request_date=$(echo $sign_request | cut -d "|" -f2)
fingerprint=$(echo $sign_request | cut -d "|" -f1 | tr -d " ")
/sbin/icinga2 ca sign $fingerprint
return_code=$?
timestamp=$(date "+%c")
if [ $return_code -eq 0 ];then
echo "$timestamp - Request Date: $request_date - Server signed: $cn" >> $log_file
else
echo "$timestamp - Error signing $cn. Request Date: $request_date" >> $log_file
fi
done
But you can do it the other way round as well, best with something like Ansible.
Generate the ticket for the agent (can be done via the API as well Icinga2 Api - Icinga 2) and then use the return value when installing.