Icinga2 node setup "Failed to fetch signed certificate from parent Icinga node"

Hi all

I’m running a distributed environment with 2 masters and 2 satellites. Recently (not sure when the problem occurred) I’m having trouble to connect agents to their satellite.

icinga2 node setup or icinga node wizard for that matters responds with

critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from parent Icinga node '192.168.5.10, 5665'. Please try again.

Here is the full command and output for reference, I have replaced IP’s and host names.

# icinga2 node setup --ticket "8893136c1d237d8701c02dd2919a617f8de0a9a4" --cn "agent01" --endpoint "icinga2-satellite,192.168.5.10,5665" --zone "agent01" --parent_zone "icinga2-satellite" --parent_host "icinga2-satellite" --trustedcert "/var/lib/icinga2/certs/icinga2-satellite.crt" --accept-commands --accept-config
information/cli: Requesting certificate with ticket '8893136c1d237d8701c02dd2919a617f8de0a9a4'.
information/cli: Verifying parent host connection information: host '192.168.5.10', port '5665'.
information/cli: Using the following CN (defaults to FQDN): 'agent01'.
information/cli: Backup file '/var/lib/icinga2/certs//agent01.key.orig' already exists. Skipping backup.
information/cli: Backup file '/var/lib/icinga2/certs//agent01.crt.orig' already exists. Skipping backup.
information/base: Writing private key to '/var/lib/icinga2/certs//agent01.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/certs//agent01.crt'.
information/cli: Verifying trusted certificate file '/var/lib/icinga2/certs/icinga2-satellite.crt'.
information/cli: Requesting a signed certificate from the parent Icinga node.
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from parent Icinga node '192.168.5.10, 5665'. Please try again.

The satellite log shows

[2025-02-03 18:17:18 +0100] information/ApiListener: New client connection for identity 'agent01' from [::ffff:192.168.5.30]:46444 (certificate validation failed: code 18: self-signed certificate)
[2025-02-03 18:17:18 +0100] information/JsonRpcConnection: Received certificate request for CN 'agent01' which couldn't be verified: self-signed certificate (code 18)
[2025-02-03 18:17:18 +0100] information/JsonRpcConnection: Certificate request for CN 'agent01' is pending. Waiting for approval.
[2025-02-03 18:17:18 +0100] warning/JsonRpcConnection: API client disconnected for identity 'agent01'
[2025-02-03 18:17:22 +0100] information/JsonRpcConnection: Received certificate update message for CN 'agent01'
[2025-02-03 18:17:22 +0100] information/JsonRpcConnection: Saved certificate update for CN 'agent01'

The master log shows

[2025-02-03 18:17:28 +0100] information/JsonRpcConnection: Received certificate request for CN 'agent01' which couldn't be verified: self-signed certificate (code 18)
[2025-02-03 18:17:28 +0100] information/JsonRpcConnection: Certificate request for CN 'agent01' is pending. Waiting for approval.

The agent remains unconnected.

System information

icinga2 --version

icinga2 - The Icinga 2 network monitoring daemon (version: r2.14.4-1)

Masters and Satellites are on Ubuntu 22.04 and Agents on Ubuntu 20.04

Thankful for any pointers.

Best regards
Johannes Dagemark

To anyone experiencing the same problem, I just found agent install certificate signing failure on setup using agent 2.14.4 · Issue #10330 · Icinga/icinga2 · GitHub and downgraded from 2.14.4 to 2.14.3 and the problem is no more.

2 Likes