Icinga for Windows (ifw) renew certificate script

I am setting up ifw.
I generated the certificate with icinga2 pki and copied it to the windows server.
I don’t understand the point of the scheduled task “renewcertificate”.
How can this script get renewed certificate from a Linux server or did i misunderstand something.
Can somebody explain.
thanks n advance

Hello, thank you for your message.
The renew certificate task from Icinga for Windows will by default look for the Icinga Agent on the system and use this certificate to renew the Icinga for Windows certificate.

If you are not running the Icinga Agent and still want to use the Linux Icinga certificates (.crt files)

You can copy the certificate locally to the Windows machine. Afterwards you have to modify your Background daemon to load a custom certificate:

Register-IcingaBackgroundDaemon -Command 'Start-IcingaWindowsRESTApi' -Arguments @{ '-CertFile' = '<path\to\your\file\.crt' }

Once done, restart Icinga for Windows

Restart-IcingaForWindows

The scheduled task will run automatically and renew the certificate file whenever the local certificate is chaning. To makes things even easier, you could also setup a domain policy to push certificates to the host and use either

  • -CertThumbprint

or

  • -CertFilter

as arguments for Starting the REST-Api daemon. This arguments will look on the local Windows Certificate store then for certificates.

Hello Lord Hepipud! Thanks for your reply.

We have tried out your suggestion, but it didn’t work.

I think if I give you a summary of our config it may help us resolve this issue.

On the monitoring server we are using Icinga Web 2 Version 2.12.2

Our plan is to roll out Icinga for Windows to our Windows servers using the Icinga PowerShell Service.
We are not using any other icinga agent service.

We have setup the certificates by using the instructions at Icinga for Windows without an Icinga 2 agent

We are successfully using the icinga framework for PowerShell for our monitoring.

So, the problem we still have is the renew corticate task.

Going through this task, you can see below that the first 3 lines work correctly, however, the last line ends on an error.

PS Function:\> $CertificateFile
C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate\icingaforwindows.pfx

PS C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\jobs> $RegisteredBackgroundDaemons['Start-IcingaWindowsRESTApi'].ContainsKey('-CertFile')
True

PS C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\jobs> $RegisteredBackgroundDaemons['Start-IcingaWindowsRESTApi']['-CertFile']
C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate\test01.testdomain.com.crt

PS C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\jobs> Install-IcingaForWindowsCertificate -CertFile $CertificatePath;
[Error]: Unable to install Icinga for Windows certificate, as with specified arguments and auto-lookup for Icinga Agent certificate, no certificate could be created

Or when running the renew certificate script step by step, we get:

PS Function:\>  if ([string]::IsNullOrEmpty($CertFile) -eq $FALSE) {
>>         if ([IO.Path]::GetExtension($CertFile) -ne '.pfx') {
>>             ConvertTo-IcingaX509Certificate -CertFile $CertFile -OutFile $CertificateFile -Force | Out-Null;
>>         } else {
>>             Copy-ItemSecure -Path $CertFile -Destination $CertificateFile -Force | Out-Null;
>>         }
>>     }
[Error]: Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". Certutil output:
CertUtil: -MergePFX command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". Certutil output:
CertUtil: -MergePFX command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.
At C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache\framework_cache.psm1:32525 char:9
+         throw $ErrMessage;
+         ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to creat...le specified.
:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". Certutil output:
CertUtil: -MergePFX command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

Do you have an idea what could be going wrong here.

We would be delighted to find a solution to this problem.

Is by any chance the hostname of Windows not matching the name of the certificate?
It seems Icinga for Windows is trying to lookup the hostname, but can’t find the certificate because the name is different.