Icinga Auto CSR setup configuration issue

Hello, I’m currently setting up Icinga for the first time. I kind of feel like a fish out of water and have probably made things harder for myself but, currently, I am trying to use the Icinga 2 Agent for Windows to connect to my Icinga server. Version is 2.13.2-1. OS is Oracle Linux Server 8.7. Enabled features are as follows: api checker command graphite ido-mysql mainlog notification opsgenie syslog.

The environment is single server with a mix of Linux and Windows agents. We have a few nodes connected that are in our AWS environment. Currently I am trying to connect legacy devices (non-AWS servers) to Icinga. Now onto the problem… I’m attempting to run the agents wizard on a Windows server but am getting “An error occurred while setting up Icinga 2”. The standout points seem to be:

  • The ‘master_host’ parameter has been deprecated. Use ‘parent_host’ instead
  • Invalid ticket for CN
  • Failed to fetch signed certificate from parent Icinga node

Any assistance on how I should approach troubleshooting this would be helpful. Currently I do have a TicketSalt entry my constants.conf. My api.conf (within features-available) looks like this:

object ApiListener “api” {
//accept_config = false
//accept_commands = false

ticket_salt = TicketSalt

Though I’m not sure if that is the correct configuration or not.

Beyond that, I’m not sure how to resolve an incorrectly assigned certificate.

Thank you in advance for any responses.

Hello and welcome.

The TicketSalt in the constants.conf is ok. That should be how the icinga2 node wizard sets things up when it is being run on to configure your master.

How are you trying to install the Agent on the Windows host?
Are you using the graphical wizard or do your try to run a command from cli/powershell?

The graphical wizard will run the correct commands for you. A ticket isn’t necessary, but you then would have to sign the cert request on the master by hand.

The CN for the cert request/ticket must be the same as the name of the agent endpoint. Also the endpoint object and zone object of the agent have to have the same name.

When you want to run it from the cli:

  1. save cert from trusted parent
& "C:\Program Files\ICINGA2\sbin\icinga2.exe" pki save-cert --host <trusted parent> --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted_parent.crt"
  1. run node setup and restart the agent
& "C:\Program Files\ICINGA2\sbin\icinga2.exe" node setup --cn <agent hostname> --zone <agent hostname> --parent_zone <zone name of trusted parent> --parent_host <trusted parent> --endpoint <endpoint name of trusted parent> --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted_parent.crt" --accept-commands --accept-config --disable-confd
Restart-Service icinga2

As said, a ticket is optional, but you have to sign the cert on the master (icinga2 ca list and icinga2 ca sign ... help here)

Hi, thanks for responding! Currently I am using the GUI wizard installer on Windows. My intent is to, at some point, automate installation on the rest of the servers - hence why I’d prefer to have auto-signing rather than have to manually sign 100 certs.

If I follow the path in your command I see it shows the \lib\icinga2\certs.… .crt. The cert that I have in this location on my Windows agent is the same that I see on the Icinga server at var/lib/icinga2/certs… when I open and look at the key. I even made a .old of the certs folder and then ran the wizard again - It created a new certs folder and rewrote the same .crt (in my case named ca.crt). This what I’m seeing as an error at the end of the wizard:

information/cli: Requesting a signed certificate from the parent Icinga node.
information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'.
critical/cli: !!! Invalid ticket for CN 

I guess I don’t know why it appears to be pulling the cert and then saying it’s an invalid ticket.

What did you put into the ticket field of the graphical wizard?
You will first need to create one with icinga2 pki ticket --cn <agent endpoint name> (should be the name of the cert file)

I guess what I might be missing is the idea of the ticket (TicketSalt) itself. Is there only one created or does there need to be a separate ticket for each connected agent?

The ticket salt is created once, but there are separate tickets foreach agent because the ticket is created using the agent name and the ticket salt

Is this something that can be automated? It sounds like either I have to create multiple tickets on the server or sign multiple certificates.

We are installing our agents without tickets and then sign the outstanding signing requests via a script executed by a cronjob on the master server.

# AutoSigning for icinga2
*/5 * * * * /opt/sva/sign_icinga2_certs.sh 2>&1 >> /var/log/icinga2/auto_signing.log



for sign_request in $(/sbin/icinga2 ca list | egrep "^[a-z0-9]");do
        cn=$(echo $sign_request | cut -d "|" -f4)
        request_date=$(echo $sign_request | cut -d "|" -f2)
        fingerprint=$(echo $sign_request | cut -d "|" -f1 | tr -d " ")

        /sbin/icinga2 ca sign $fingerprint
        timestamp=$(date "+%c")
        if [ $return_code -eq 0 ];then
                echo "$timestamp - Request Date: $request_date - Server signed: $cn" >> $log_file
                echo "$timestamp - Error signing $cn. Request Date: $request_date" >> $log_file

But you can do it the other way round as well, best with something like Ansible.
Generate the ticket for the agent (can be done via the API as well Icinga2 Api - Icinga 2) and then use the return value when installing.