Hi all
I’m running a distributed environment with 2 masters and 2 satellites. Recently (not sure when the problem occurred) I’m having trouble to connect agents to their satellite.
icinga2 node setup or icinga node wizard for that matters responds with
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from parent Icinga node '192.168.5.10, 5665'. Please try again.
Here is the full command and output for reference, I have replaced IP’s and host names.
# icinga2 node setup --ticket "8893136c1d237d8701c02dd2919a617f8de0a9a4" --cn "agent01" --endpoint "icinga2-satellite,192.168.5.10,5665" --zone "agent01" --parent_zone "icinga2-satellite" --parent_host "icinga2-satellite" --trustedcert "/var/lib/icinga2/certs/icinga2-satellite.crt" --accept-commands --accept-config
information/cli: Requesting certificate with ticket '8893136c1d237d8701c02dd2919a617f8de0a9a4'.
information/cli: Verifying parent host connection information: host '192.168.5.10', port '5665'.
information/cli: Using the following CN (defaults to FQDN): 'agent01'.
information/cli: Backup file '/var/lib/icinga2/certs//agent01.key.orig' already exists. Skipping backup.
information/cli: Backup file '/var/lib/icinga2/certs//agent01.crt.orig' already exists. Skipping backup.
information/base: Writing private key to '/var/lib/icinga2/certs//agent01.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/certs//agent01.crt'.
information/cli: Verifying trusted certificate file '/var/lib/icinga2/certs/icinga2-satellite.crt'.
information/cli: Requesting a signed certificate from the parent Icinga node.
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from parent Icinga node '192.168.5.10, 5665'. Please try again.
The satellite log shows
[2025-02-03 18:17:18 +0100] information/ApiListener: New client connection for identity 'agent01' from [::ffff:192.168.5.30]:46444 (certificate validation failed: code 18: self-signed certificate)
[2025-02-03 18:17:18 +0100] information/JsonRpcConnection: Received certificate request for CN 'agent01' which couldn't be verified: self-signed certificate (code 18)
[2025-02-03 18:17:18 +0100] information/JsonRpcConnection: Certificate request for CN 'agent01' is pending. Waiting for approval.
[2025-02-03 18:17:18 +0100] warning/JsonRpcConnection: API client disconnected for identity 'agent01'
[2025-02-03 18:17:22 +0100] information/JsonRpcConnection: Received certificate update message for CN 'agent01'
[2025-02-03 18:17:22 +0100] information/JsonRpcConnection: Saved certificate update for CN 'agent01'
The master log shows
[2025-02-03 18:17:28 +0100] information/JsonRpcConnection: Received certificate request for CN 'agent01' which couldn't be verified: self-signed certificate (code 18)
[2025-02-03 18:17:28 +0100] information/JsonRpcConnection: Certificate request for CN 'agent01' is pending. Waiting for approval.
The agent remains unconnected.
System information
icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.14.4-1)
Masters and Satellites are on Ubuntu 22.04 and Agents on Ubuntu 20.04
Thankful for any pointers.
Best regards
Johannes Dagemark