To complete my last message, yes certificate has been signed but no more success.
master01[users:1] ~ # icinga2 ca sign 09878ae29f6365aab0b67ff09641a297debb1d61b23b49b94e4e948ce49ecb03
information/cli: Signed certificate for 'CN = master02'.
icinga restarted.
master01[users:1] ~ # icinga2 ca list
Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|--------------------------|--------|--------
Logs:
[2021-08-20 16:53:31 +0200] information/ApiListener: Reconnecting to endpoint 'master02' via host 'master02' and port '5665'
[2021-08-20 16:53:31 +0200] warning/ApiListener: Certificate validation failed for endpoint 'master02': code 18: self signed certificate
[2021-08-20 16:53:31 +0200] information/ApiListener: New client connection for identity 'master02' to [141.95.39.129]:5665 (certificate validation failed: code 18: self signed certificate)
[2021-08-20 16:53:31 +0200] information/ApiListener: Finished reconnecting to endpoint 'master02' via host 'master02' and port '5665'
[2021-08-20 16:53:31 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master02'
[2021-08-20 16:53:34 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master02'
[2021-08-20 16:53:41 +0200] information/ApiListener: Reconnecting to endpoint 'master02' via host 'master02' and port '5665'
[2021-08-20 16:53:41 +0200] warning/ApiListener: Certificate validation failed for endpoint 'master02': code 18: self signed certificate
[2021-08-20 16:53:41 +0200] information/ApiListener: New client connection for identity 'master02' to [141.95.39.129]:5665 (certificate validation failed: code 18: self signed certificate)
[2021-08-20 16:53:41 +0200] information/ApiListener: Finished reconnecting to endpoint 'master02' via host 'master02' and port '5665'
I had a similar error with one satellite. With this satellite, I’ve removed /var/lib/icinga2/certs/, relaunch pki signature, signed certificate on master01, restarted icinga and all is OK with this satellite.
So the problem is only located on master02.
icinga2 versions were differents on my 2 masters, i’ve fixed it (all on r2.12.4-1) but problem is always present.
master01[users:1] ~ # md5sum /var/lib/icinga2/ca/ca.key
cfda8368ad62a15825d645aa13b3f0c6 /var/lib/icinga2/ca/ca.key
master01[users:1] ~ # cd /var/lib/icinga2/ca/
master01[users:1] ~ #/var/lib/icinga2/ca # ll
total 8
-rw------- 1 nagios nagios 1720 Feb 26 2020 ca.crt
-rw------- 1 nagios nagios 3247 Feb 26 2020 ca.key
master02[users:1] ~ # md5sum /var/lib/icinga2/ca/ca.key
md5sum: /var/lib/icinga2/ca/ca.key: No such file or directory
master02[users:1] ~ # cd /var/lib/icinga2/ca/
-bash: cd: /var/lib/icinga2/ca/: No such file or directory
But:
master02[users:1] ~ # md5sum /var/lib/icinga2/certs/ca.key
ef47058d1187b283da2197f9ffe89213 /var/lib/icinga2/certs/ca.key
And for all my satellites: same thing “md5sum: /var/lib/icinga2/ca/ca.key: No such file or directory”
Example for one of my satellite (where signature was working):
satellite01: md5sum /var/lib/icinga2/ca/ca.key
md5sum: /var/lib/icinga2/ca/ca.key: No such file or directory
satellite01: md5sum /var/lib/icinga2/certs/ca.key
ef47058d1187b283da2197f9ffe89213 /var/lib/icinga2/certs/ca.key
Remove the key from all nodes ex. master01. Also remove /var/lib/icinga2/certs and /var/lib/icinga2/ca on that nodes (where the key existed ex. master01) and re-run the node wizard.
Not better
I’ve made some clean on my zone.conf, I’ve just now master01 and master02.
I’ve deleted all ca certs on master02 and recreate but no success.
master02 [users:1] /var/lib/icinga2/certs # ll
total 16
-rw-r--r-- 1 nagios nagios 3529 Aug 24 15:19 ca.crt
-rw-r--r-- 1 nagios nagios 1720 Aug 24 15:19 ca.key
-rw-r--r-- 1 nagios nagios 1842 Aug 24 15:19 master02.crt
-rw------- 1 nagios nagios 3243 Aug 24 15:19 master02.key
md5sum ca.crt
67d3cdbbdaba8891cecef77edecf37ef ca.crt
(On master01: md5sum ca.crt ef47058d1187b283da2197f9ffe89213 ca.crt)
icinga2 pki verify --cert master02.crt --cacert ca.crt
information/cli: Verifying certificate 'master02.crt'
Version: 3
Subject: CN = master02
Issuer: CN = master02
Valid From: Aug 24 13:19:52 2021 GMT
Valid Until: Aug 20 13:19:52 2036 GMT
Serial: b9:00:90:89:6e:a9:48:fc:7c:ee:11:9d:1f:78:2c:0f:f0:ee:98:3e
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: master02
Fingerprint: 33 11 4E 19 E0 2D DE 5D C2 F7 01 51 98 B3 1C BA A9 EB E6 3A C6 6F AD D3 84 9F D6 EE B4 A9 0D F4
information/cli: with CA certificate 'ca.crt'.
Version: 3
Subject: CN = master01
Issuer: CN = Icinga CA
Valid From: Feb 26 08:28:40 2020 GMT
Valid Until: Feb 22 08:28:40 2035 GMT
Serial: 01:53:ea:8e:fd:82:bb:c2:6c:e0:6a:d5:f8:07:a7:ad:db:88:82:0f
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: master01
Fingerprint: 60 3B A0 82 25 5A 75 13 D8 E9 E8 05 26 7D E8 1A 51 64 92 6E A9 83 0B D2 F3 37 AA 0B E4 2A 3C 39
critical/cli: CRITICAL: Certificate with CN 'master02' is NOT signed by CA: self signed certificate (code 18)
Due to my automation (with many satellites, I’ve done it with icinga2 pki…)
But I’ve tried to do it with wizard and same problem.
What is strange is that with my satellites i’ve no problem, only when I want to add a second master.
Thank you for your help !
I’ve deleted directories on master02
Then transferring /var/lib/icinga2/ca/ca.crt from master01 to /var/lib/icinga2/certs/ on master02:
master02][users:1] /var/lib/icinga2/certs # ll ca.crt
-rw-r--r-- 1 nagios nagios 3529 Aug 25 09:43 ca.crt
On master02:
icinga2 pki new-cert --cn master02 \
--key /var/lib/icinga2/certs/master02.key \
--csr /var/lib/icinga2/certificate-requests/master02.csr
Result:
information/base: Writing private key to '/var/lib/icinga2/certs/master02.key'.
information/base: Writing certificate signing request to '/var/lib/icinga2/certificate-requests/master02.csr'.
master02[users:1] /var/lib/icinga2/certificate-requests # ll
total 4
-rw-r--r-- 1 nagios nagios 1700 Aug 25 09:49 master02.csr
Last step:
master02[users:1] /var/lib/icinga2 # icinga2 pki sign-csr --csr /var/lib/icinga2/certificate-requests/master02.csr --cert /var/lib/icinga2/certs/master02.crt
critical/SSL: Could not open CA key file '/var/lib/icinga2/ca/ca.key': 33558530, "error:02001002:system library:fopen:No such file or directory"
information/pki: Writing certificate to file '/var/lib/icinga2/certs/master02.crt'.
master02[users:1] /var/lib/icinga2/certs # ll
total 12
-rw-r--r-- 1 nagios nagios 3529 Aug 25 09:43 ca.crt
-rw-r--r-- 1 nagios nagios 54 Aug 25 09:53 master02.crt
-rw------- 1 nagios nagios 3247 Aug 25 09:49 master02.key
master02.crt has so been created but empty:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
master02[users:1] /var/lib/icinga2 # ll ca
ls: cannot access 'ca': No such file or directory
no "ca" repository on master02
Restarted again, I’ve exported ca.crt from master01, ca.key too.
Made a symbolic link: ln -sf /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/ca/ca.crt
Then doing your steps again and restarted icinga.
All is OK now !!
Master01 and 02 are UP and running, and are syncho
Ohh , of course, because the CA private key does not exist in master02. All steps except (removing the directories) should be performed on master01 and transfer all files belonging to master02 and the master01's ca.crt to the respective directories. My mistake 🤦. But you shouldn’t copy the ca.key of master01 anywhere, because it should always be only in the primary master (master01). So you can delete it directly from master02 now.