Icinga2 node setup fail - Peer did not provide a valid certificate

Hi i’ve been trying to run the node wizard to connect nodes for monitoring, because the client is running a webserver that isnt compatible with icinga (icinga is hardcoded for a particular setup) and i dont want to disturb anything already running. So i set up icinga on a raspberry pi within LAN to monitor it. Everytime i try to connect them at the last step using the node wizard on the client i get:

critical/pki: Cannot connect to host ‘mydomain.com’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.
I’ve been following the guides but so far it hasnt helped. Icingaweb2 is running well on the server (raspberry pi) and i checked that icinga2 is running as well with the port opened and port forwarded by the router.

So far icinga2 has been a 2 week headache, i’ve been trying to push for monitoring of load so we dont overfill a webserver but it has not gone well with management because of the current time its been taking to set it up. It would be much easier to have icinga web on the client but its not like i can make it use lsphp7.4 and litespeed that have been configured as the default httpd/php even via command line, it still wants its php packages and apache.

Did you do the necessary steps for a distributed setup on the raspi, which I understand to be the master in this scenario?
https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#master-setup

You will need a correctly set up master instance before trying to connect other icinga2 instances (satellite/agent) to it.
This means enabling the API, creating a CA and some other steps. The node wizard on the master will do that for you

Hi, yes i’ve doubled checked and gone through the steps again and i still get the same error.

I couldnt find anything on creating a CA and i did run the wizard and restarted the process a few times already.

The nod wizard will create the CA when choosing to install a master setup when asked by the first question.
After a correct installation you will have a ca.crt and ca.key under /var/lib/icinga2/ca on the master.

When connecting a satellite to the master you also have to make sure that you use the correct endpoint name of the master. You can find this in /etc/icinga2/zones.conf

I have edited the zones file but i still get the same error. Im using a subdomain for the master while the satellite has a domain.

How do i add them in? None of the guides mention it.

And the network conncetion/dns lookups between those domains work correctly?

Please post the zones.conf from your master and the client as well as the node wizard output from the client.

Hi yes, The master is sitting behind a NAT on a raspberry pi and i have port forwarded. Both can ping each other properly. However the master doesnt know its domain despite setting it in the common name since it applies to the public ip.

It also helps to be able to monitor from my personal network because the server to monitor tends to ban the office ip for brute force reasons which is basically 20 failed logins of any service (account, email, website).

Node wizard output

critical/pki: Cannot connect to host ‘systemerrormessage2.servegame.com’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.

Master zones

object Endpoint "systemerrormessage2.servegame.com" {
}

    object Zone "master" {
            endpoints = [ "systemerrormessage2.servegame.com" ]
    }

    object Zone "global-templates" {
            global = true
    }

    object Zone "director-global" {
            global = true
    }

node zones

       object Endpoint NodeName {
      host = NodeName
    }

    object Zone ZoneName {
      endpoints = [ NodeName ]
    }
    object Endpoint "master.example.org" {
      host = "master.example.org"
    }

    object Endpoint "satellite.example.org" {
      host = "satellite.example.org"
    }
    object Endpoint "systemerrormessage2.servegame.com" {
    host = "systemerrormessage2.servegame.com"}

    object Zone "master" {
      endpoints = [ "systemerrormessage2.servegame.com" ]
    }

Please include the whole output of the node wizard.

Right now it just looks like your client just can’t resolve the hostname of the master or the master is not listening on port 5665.

The zones.conf on the client was edited by hand by yourself, correct?
As the file will e configured automatically once the node wizard has been run successfully, me asking to post it was nonsense.
Apart from that the configuration you have there is not correct, as the Clients zone “Zonename” will also need the Zone “master” as parent. Also the example stuff is not needed.
But as said, this will be done automatically once the node wizard was successfull.