Icinga2 Certificate validation is failing with Icinga-Agent in DMZ

Time2Snipez · November 15, 2019, 1:07pm

Hello Icinga2-Community,

I am currently running an icinga instance on a debian machine. I am trying to connect a windows-server in a DMZ to my Master in a local network. I copied the master ca to the windows machine to avoid the needed connection for my agent to request a certificate. it worked all fine and checks were running through. But i tried to change the naming of my windows-machine. It was defined in zones.d/master as something like PHOTONSERVER.domain.local. I now renamed it to photonserver.domain.local, ran the node wizard again on my windowsmachine, and told the new name to the wizard. Now im getting Problems with my Certificates.

/var/log/icinga2/icinga2.log:

[2019-11-15 13:49:04 +0100] information/ApiListener: Reconnecting to endpoint 'photonserver.domain.local' via host '10.0.0.19' and port '5665'
[2019-11-15 13:49:04 +0100] information/HttpServerConnection: HTTP client disconnected (from [172.18.0.2]:47132)
[2019-11-15 13:49:05 +0100] warning/ApiListener: Certificate validation failed for endpoint 'photonserver.domain.local': code 18: self signed certificate
[2019-11-15 13:49:05 +0100] information/ApiListener: New client connection for identity 'photonserver.domain.local' to [10.0.0.19]:5665 (certificate validation failed: code 18: self signed certificate)
[2019-11-15 13:49:05 +0100] information/ApiListener: Finished reconnecting to endpoint 'photonserver.domain.local' via host '10.0.0.19' and port '5665'
[2019-11-15 13:49:05 +0100] information/JsonRpcConnection: Received certificate request for CN 'photonserver.domain.local' not signed by our CA.
[2019-11-15 13:49:05 +0100] information/JsonRpcConnection: Certificate request for CN 'photonsrv.ssc-os.local' is pending. Waiting for approval.

When i use icinga2 ca list, it lists a request, but when im signing it it doesnt change anything. But the entry in ca list is gone. Do you Guys have any idea?

photonserver.domain.local.conf File:

object Zone "photonserver.domain.local" {
        endpoints = [ "photonserver.domain.local" ]
        parent = "master"
}

object Endpoint "photonserver.domain.local" {
        host = "10.0.0.19"
}

object Host "photonserver.domain.local" {
  import "generic-host"
  vars.location = "Infra"
  address = "10.0.0.19"
  vars.os = "Windows"
  vars.check_type = "Agent"
#  vars.disk_win_path = ["C:"]
  vars.commandendpoint = "photonserver.domain.local"
}

Wizard executed on Windowsmachine:

    C:\WINDOWS\system32>"C:\Program Files\ICINGA2\sbin\icinga2.exe" node wizard
    Welcome to the Icinga 2 Setup Wizard!

    We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: Y

Starting the Agent/Satellite setup routine...

Please specify the common name (CN) [photonserver]: photonserver.domain.local

Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): master.DOMAIN.local #DOMAIN is written big just because we failed a little bit creating the CA on the master node. But it is no problem

Do you want to establish a connection to the parent node from this node? [Y/n]: n
Connection setup skipped. Please configure your parent node to
connect to this node by setting the 'host' attribute for the node Endpoint object.

Add more master/satellite endpoints? [y/N]: N

No connection to the parent node was specified.

Please copy the public CA certificate from your master/satellite
into 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt' before starting Icinga 2.

Found public CA certificate in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'.
Please verify that it is the same as on your master/satellite.
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []: 5665

Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y

Reconfiguring Icinga...

Local zone name [photonserver.domain.local]:
Parent zone name [master]:

Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]:

Do you want to disable the inclusion of the conf.d directory [Y/n]: n

Done.

Now restart your Icinga 2 daemon to finish the installation!

Kind Regards

Time2Snipez · November 18, 2019, 2:07pm

Okay so after noone is replying…
Im a step further now. It seems that the node wizard is not using the copied ca.crt from master properly.
When i look at the generated certs, i can see that it is not created by master ca but by hostname (photonserver.domain.local). So the step im trying now is to use pki on the master node to generate my key and certificate right on the master. But im stuck there. When im using
icinga2 pki new-cert
im generating a key file but no certificate or a request for one. Do you guys know how to get a certificate on master for an agent/satellite?

dnsmichi · November 18, 2019, 2:44pm

You need to do that step after the wizard has been run, and restart the Windows service.

Time2Snipez · November 18, 2019, 3:09pm

Unfortunately it didnt help.

[2019-11-18 16:05:44 +0100] information/ApiListener: Reconnecting to endpoint 'photonserver.domain.local' via host '10.0.0.19' and port '5665'
[2019-11-18 16:05:44 +0100] warning/ApiListener: Certificate validation failed for endpoint 'photonserver.domain.local'': code 18: self signed certificate
[2019-11-18 16:05:44 +0100] information/ApiListener: New client connection for identity 'photonserver.domain.local'' to [10.0.0.19]:5665 (certificate validation failed: code 18: self signed certificate)

The certs are the same as before. It seems that the wizard is not using the ca.crt at all. Or maybe the ca.crt is wrong? is it a good idea to create a new CA on master?

dnsmichi · November 18, 2019, 3:19pm

The ca.crt file only is required to actually start the icinga2 service on the agent. Afterwards it should send the signing request to the parent node where either auto-signing or on-demand signing takes place, depending on whether you’ve put in a ticket or not.

Reading your output, icinga2 ca list on the master with a followed icinga2 ca sign <fingerprint> and followed restart by Icinga 2 should actually send back the signed certificate to the agent.

Re-creating the Icinga CA will not solve the problem, it will render your entire setup with existing masters, satellites, agents unusable.

Time2Snipez · November 18, 2019, 4:54pm

Okay so i tried to implement the ca after the agent setup and signed the certificate on the master with
icinga2 ca sign “fingerprint of request”
But the log is still saying that the cert from the agent is not signed by our CA.
Even after restarting icinga a couple times.
If i want to create a ticket and try to implement it in the agent, how would i do that?
the Gui has a field for a ticket, but the cli wizard is not asking for one.
Is it maybe possible that icinga has a problem to validate the correct tickets or requests because of case-sensitivity? Its just a little bit confusing that everything worked fine til i changed the name to lower-case letters.

Time2Snipez · November 19, 2019, 8:44am

Today i tried to reinstall the agent, but forgot to delete the icinga folder in C:\ProgrammData. After installing, the checks were running properly (just installed, no configuration via wizard was done). I dont know why exactly. Although the ca was implemented in the certs folder when i installed the agent. But the certificates are now valid.
A bug maybe?