Icinga for Windows Agent setup: ca.crt

Hi everyone,

I’m trying to setup the Icinga for Windows Agent, I can’t start the service. It says it can’t find the file “C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt”. Does anyone know where this file comes from or how it is generated? I’ve run the wizard and it seemed to work (no errors reported) but maybe something went wrong. Or I missed a step.

PS C:\WINDOWS\system32> Test-IcingaAgentConfig -WriteStackTrace | Out-Null
[Failed]: Icinga Agent configuration contains errors. Run this command for getting a detailed error report: “Test-IcingaAgentConfig -WriteStackTrace | Out-Null”
[2021-06-10 17:31:03 +1000] information/cli: Icinga application loader (version: v2.12.4)
[2021-06-10 17:31:03 +1000] information/cli: Loading configuration file(s).
[2021-06-10 17:31:03 +1000] information/ConfigItem: Committing config item(s).
[2021-06-10 17:31:03 +1000] information/ApiListener: My API identity: jamespc
[2021-06-10 17:31:03 +1000] critical/SSL: Error loading and verifying locations in ca key file ‘C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt’: 33558530, “error:02001002:system library:fopen:No such file or directory”
[2021-06-10 17:31:03 +1000] critical/config: Error: Cannot make SSL context for cert path: ‘C:\ProgramData\icinga2\var\lib\icinga2/certs//jamespc.crt’ key path: ‘C:\ProgramData\icinga2\var\lib\icinga2/certs//jamespc.key’ ca path: ‘C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt’.
Location: in C:/ProgramData/icinga2/etc/icinga2/features-enabled/…/features-available/api.conf: 1:0-1:23
C:/ProgramData/icinga2/etc/icinga2/features-enabled/…/features-available/api.conf(1): object ApiListener “api” {
C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt

Hello,

how is your hostname configured for Icinga? Icinga 2 is looking for jamespc.crt and key, which means the name of the host has to be jamespc in lower case in the Icinga configuration.

Same goes for the files. If your Host is configured as jamespc, the file names have to be lower case on the C:\ProgramData\icinga2\var\lib\icinga2\certs\ directory.

In general, Icinga for Windows should take care of this automatically if the Self-Service API or any other configuration is done. If we can track down the issue, then I will update the docs to provide a step by step guide, because I’m seeing alot of these problems lately.

Hi, the hostname as displayed in Windows is JamesPC. These files exist:
C:\ProgramData\icinga2\var\lib\icinga2/certs//jamespc.crt
C:\ProgramData\icinga2\var\lib\icinga2/certs//jamespc.key

This file doesn’t exist:
C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt

eg:
C:\ProgramData\icinga2\var\lib\icinga2\certs>dir
Volume in drive C has no label.
Volume Serial Number is 9081-EDCF

Directory of C:\ProgramData\icinga2\var\lib\icinga2\certs

03/06/2021 12:35 PM .
03/06/2021 12:35 PM …
04/06/2021 10:33 AM 1,768 jamespc.crt
04/06/2021 10:33 AM 3,294 jamespc.key

Hi :slight_smile:

This is the ca cert from the master.
Tbh I am still not sure if the ca cert is needed on the agent, at the least it is not needed during the setup. It seems get copied there after a successful connection, if I look at on of my windows hosts.

Afaik you have three options when setting up an agent

  1. copy ca cert manually to the specified location → execute wizard with ticket for the agent → agent is automatically signed against the ca and is connected
  2. no ca cert on the agent → execute wizard with ticket for the agent → manually sign the cert request on the master
  3. no ca cert on the agent → execute wizard without ticket for the agent → manually sign the cert request on the master

How did you execute the wizard and did you sign the cert request on the master already?

1 Like

I think this is the command line generated by the wizard the final time I ran it:
Start-IcingaAgentInstallWizard -UseDirectorSelfService 1 -DirectorUrl ‘http://hostname.domain.net/icingaweb2/director/’ -SelfServiceAPIKey ‘XXXX’ -OverrideDirectorVars 0 -AgentVersion ‘release’ -PackageSource ‘Index of /windows’ -CAPort 5666 -AcceptConnections 1 -CAFile ‘’ -EmptyCA 1 -InstallFrameworkPlugins 0 -InstallFrameworkService 0 -RunInstaller

So it sounds like I still need to sign the certificate on the server. The documentation doesn’t really talk about this, apart from Example 3.