Icinga2 node setup fail - Peer did not provide a valid certificate

Icinga 2
1

Hi i’ve been trying to run the node wizard to connect nodes for monitoring, because the client is running a webserver that isnt compatible with icinga (icinga is hardcoded for a particular setup) and i dont want to disturb anything already running. So i set up icinga on a raspberry pi within LAN to monitor it. Everytime i try to connect them at the last step using the node wizard on the client i get:

critical/pki: Cannot connect to host ‘mydomain.com’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.
I’ve been following the guides but so far it hasnt helped. Icingaweb2 is running well on the server (raspberry pi) and i checked that icinga2 is running as well with the port opened and port forwarded by the router.

So far icinga2 has been a 2 week headache, i’ve been trying to push for monitoring of load so we dont overfill a webserver but it has not gone well with management because of the current time its been taking to set it up. It would be much easier to have icinga web on the client but its not like i can make it use lsphp7.4 and litespeed that have been configured as the default httpd/php even via command line, it still wants its php packages and apache.

2

Did you do the necessary steps for a distributed setup on the raspi, which I understand to be the master in this scenario?
https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#master-setup

You will need a correctly set up master instance before trying to connect other icinga2 instances (satellite/agent) to it.
This means enabling the API, creating a CA and some other steps. The node wizard on the master will do that for you

3

Hi, yes i’ve doubled checked and gone through the steps again and i still get the same error.

I couldnt find anything on creating a CA and i did run the wizard and restarted the process a few times already.

4

The nod wizard will create the CA when choosing to install a master setup when asked by the first question.
After a correct installation you will have a ca.crt and ca.key under /var/lib/icinga2/ca on the master.

When connecting a satellite to the master you also have to make sure that you use the correct endpoint name of the master. You can find this in /etc/icinga2/zones.conf

5

I have edited the zones file but i still get the same error. Im using a subdomain for the master while the satellite has a domain.

How do i add them in? None of the guides mention it.

6

And the network conncetion/dns lookups between those domains work correctly?

Please post the zones.conf from your master and the client as well as the node wizard output from the client.

7

Hi yes, The master is sitting behind a NAT on a raspberry pi and i have port forwarded. Both can ping each other properly. However the master doesnt know its domain despite setting it in the common name since it applies to the public ip.

It also helps to be able to monitor from my personal network because the server to monitor tends to ban the office ip for brute force reasons which is basically 20 failed logins of any service (account, email, website).

Node wizard output

critical/pki: Cannot connect to host ‘systemerrormessage2.servegame.com’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.

Master zones

object Endpoint "systemerrormessage2.servegame.com" {
}

    object Zone "master" {
            endpoints = [ "systemerrormessage2.servegame.com" ]
    }

    object Zone "global-templates" {
            global = true
    }

    object Zone "director-global" {
            global = true
    }

node zones

       object Endpoint NodeName {
      host = NodeName
    }

    object Zone ZoneName {
      endpoints = [ NodeName ]
    }
    object Endpoint "master.example.org" {
      host = "master.example.org"
    }

    object Endpoint "satellite.example.org" {
      host = "satellite.example.org"
    }
    object Endpoint "systemerrormessage2.servegame.com" {
    host = "systemerrormessage2.servegame.com"}

    object Zone "master" {
      endpoints = [ "systemerrormessage2.servegame.com" ]
    }
8

Please include the whole output of the node wizard.

Right now it just looks like your client just can’t resolve the hostname of the master or the master is not listening on port 5665.

The zones.conf on the client was edited by hand by yourself, correct?
As the file will e configured automatically once the node wizard has been run successfully, me asking to post it was nonsense.
Apart from that the configuration you have there is not correct, as the Clients zone “Zonename” will also need the Zone “master” as parent. Also the example stuff is not needed.
But as said, this will be done automatically once the node wizard was successfull.

9

root@raspberrypi2:/etc/icinga2# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup (‘n’ installs a master setup) [Y/n]: n

Starting the Master setup routine…

Please specify the common name (CN) [raspberrypi2]: systemerrormessage2.servegame.com
Reconfiguring Icinga…
Checking for existing certificates for common name ‘systemerrormessage2.servegame.com’…
Certificate ‘/var/lib/icinga2/certs//systemerrormessage2.servegame.com.crt’ for CN ‘systemerrormessage2.servegame.com’ already existing. Skipping certificate generation.
Generating master configuration for Icinga 2.
‘api’ feature already enabled.

Master zone name [master]:

Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]:
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:

Do you want to disable the inclusion of the conf.d directory [Y/n]:
Disabling the inclusion of the conf.d directory…
Checking if the api-users.conf file exists…

Done.

Now restart your Icinga 2 daemon to finish the installation!

Client:
[root@server icinga2]# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup (‘n’ installs a master setup) [Y/n]: Y

Starting the Agent/Satellite setup routine…

Please specify the common name (CN) [server.bumbu.agency]:

Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): systemerrormessage2.servegame.com

Do you want to establish a connection to the parent node from this node? [Y/n]:
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): systemerrormessage2.servegame.com
Master/Satellite endpoint port [5665]:

Add more master/satellite endpoints? [y/N]:
critical/pki: Cannot connect to host ‘systemerrormessage2.servegame.com’ on port ‘5665’
critical/cli: Peer did not present a valid certificate.

I did check, port forwarding works fine, both TCP and UDP. I also use a custom port for https access.

10

Did you restart icinga2 on the master after running the node wizard?

Does netstat -tulpn list the port 5665 on the master?

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
...
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN      78524/icinga2
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      22347/mysqld
...
11

yes to both
tcp 0 0 0.0.0.0:5665 0.0.0.0:* LISTEN 9759/icinga2

12

My money is still on a network connectivity issue, because to me it looks like ‘systemerrormessage2.servegame.com’ can’t be resolved by the client.
Please try giving the IP address of the master on the following step of the clients node wizard:
Master/Satellite endpoint host (IP address or FQDN):

13

if that was the case it’d have been resolved long ago. I have tried different combinations of names, IP, and even tried installing the website on the server i want to monitor. The issue is the server i want to monitor is a webserver already set up with websites so i cant touch that it is using litespeed, not apache, and doesnt follow the same conventions as icingaweb expects. Even though litespeed is an apache drop in replacement, however it is already with a panel that changes its entire folder structure and manages its configuration files.

So i figured since icinga setup wont let me configure where the website files go to and make sure it not touch “apache” configuration i installed it on a raspberry pi instead since litespeed doesnt do ARM.

It looks to me like you arent reading the error. It says invalid certificate, which means 1 of 2 things.

  1. the certificate wasnt generated correctly (i.e. mismatching names and IP) or not generated at all meaning it gave a preincluded but wrong certificate
  2. the CA is not accepted which means either icinga is not configured to accept self signed certs or it relies on the host to verify it which for years does not trust self signed certs.

As i did say the master node is behind a NAT.

14

As stated before, there you can find the CA cert/key.
The master only accepts certificates on the agents signed by its own CA.

The webserver has nothing to do with the master/satellite/agent setup, it is merely for displaying information from the IDO database.

Don’t get cranky, please.
The message clearly states that there could no connection be made to the master on port 5665, thus the agent did not get the CA certificate to even try creating a signing request.

As stated in the docs at Distributed Monitoring - Icinga 2 you can choos to not actively connect to the master:

Do you want to establish a connection to the parent node from this node? [Y/n]:

Note:

If this node cannot connect to the parent node, choose n. The setup wizard will provide instructions for this scenario – signing questions are disabled then.

have you tried that and the next steps the wizard asks?