Icinga2 pki ticket --cn issue and question

Hello Everyone,

I’ve an icinga topology like this:

Master --> satellite --> client

My Master use the port 5666 to communicate with each satellite and everything works as expected.
For firewall reason, I would like to make a new satellite but I would like to use the port 8080 to communicate with my Master.

First, I’ve made this iptable on Master:
iptables -t nat -I PREROUTING 1 -i ens5 -p tcp --dport 8080 -j REDIRECT --to-port 5666

Second, I’ve made this iptable on the new Satellite (Where MASTER_IP is the ip of the master of course)
iptables -t nat -D OUTPUT -p tcp --destination MASTER_IP --dport 5666 -j DNAT --to-destination MASTER_IP:8080

There is only those 2 iptables inside my infrastructure, everything are set with ACCEPT policy.

If I make telnet commande from satellite to master on port 8080, it’s seems to be ok.

So I start to make my sattelite configuration with “icinga2 node wizard”, this is the output:

Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup (‘n’ installs a master setup) [Y/n]: Y

Starting the Agent/Satellite setup routine…

Please specify the common name (CN) [toto.local]: toto

Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): icinga-master

Do you want to establish a connection to the parent node from this node? [Y/n]: Y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): master.local
Master/Satellite endpoint port [5665]: 5666

Add more master/satellite endpoints? [y/N]: N
Parent certificate information:

Subject: CN = icinga-master
Issuer: CN = Icinga CA
Valid From: May 31 09:37:39 2019 GMT
Valid Until: May 27 09:37:39 2034 GMT
Fingerprint: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX

Is this information correct? [y/N]: y

Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘toto’): 741e4c833e8e09f1596452bdaa9f8880f4b09cdb
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘master.local, 8080’. Please try again.

I’ve checked the log on my Master and I found this:

[2020-02-05 13:22:22 +0100] information/ApiListener: New client connection for identity ‘toto’ from [xxx.xxx.xxx.xxx]:17428 (certificate validation failed: code 18: self signed certificate)
[2020-02-05 13:22:22 +0100] warning/ApiListener: No data received on new API connection from [xxx.xxx.xxx.xxx]:17428 for identity ‘toto’. Ensure that the remote endpoints are properly configured in a cluster setup.

I searched on the support community and some guys speak about the version of icinga that was to old.
My version of icinga is: (version: 2.11.2-1)

I also checked into the CA list on my Master but nothing is present.

I suspect that my iptable are not complet but I don’t know what I missed.
Can someone help me ?

I know that Michael Friedrich don’t like to use the iptables to change the communication between Master and Satellites
So My second question is, there is a way to make a Master with 2 differents ports to communicate with 2 differents satellites ?
I haven’t found nothing about the communication on 2 differents ports to communicate with 2 differents satellites without using iptables.

Thanks for your help.
Regards,
Jon

Hi,

ok just for understanding: Why you don’t want to use the standard port 5665 which is recommanded in the docs? And why you want to use two diffrent ports to communicate between master and satellite? Security reason? Because it makes it a lot more difficult to change everything and of course to help.

Hello Stevie,
Thanks for your interest.

Why you don’t want to use the standard port 5665 which is recommanded in the docs?
On port 5666, I had a nagios server (communication on port 5666 via nrpe).
We replaced the old nagios by the new icinga and we use the port 5666 to make the communication between satellite and master.
By this way, we don’t have to do one request of firewall opening to our clients
Everything work with the port 5666.

Why you want to use two different ports to communicate between master and satellite?
Because one of our client don’t want to open the firewall on this port (5666)

Security reason?
Yes, I suppose.

I don’t want to change everything, I just want to add one communication between master and only one new satellite through another port (I found nothing about it, so I don’t know if it possible)

Exemple:
master --> satellite_client_A --> client (communication on port 5666 - currently ok)
|------> satellite_client_B --> client (communication on port 8080 - currently not ok)

I don’t know if it more understanding like this.

Regards,
Jon

Hi, thanks for the explanation. Hmm sound really complicated and difficult. I hope somebody can help you without knowing your environment exactly.
The only idea what I would have is to use port forwarding. But I think a problem could be the port 8080. Because this is the alternative port for HTTP. So if another program is listining to this port, maybe you will have a problem. Take a look here: https://stackoverflow.com/questions/1694144/can-two-applications-listen-to-the-same-port.

Hi,

The output above doesn’t align. First, you’re telling it to connect to port 5666, and then the error sources from port 8080. Is that really the output from your CLI command?

Also, since I have a hard time imaging how the iptables align here, please add the zones.conf from both sides, the master and the satellites.

Also, a drawn image with the hosts, their ports and connection directions will help understand this even better.

Yep, you are correct with that assumption. Moving away from the default ports makes troubleshooting harder and users may not respond to your questions.

Generally speaking, I’d advise to ask your firewall team to open port 5665, at least into one direction. Either the master accepts incoming connections on port 5665, or it may connect to satellites on port 5665.

Since you already control iptables, it seems that doing so won’t necessarily need another team to do so.

A better check to test whether Icinga is really listening on that port is to use openssl on the CLI, from both the master and the satellite.

openssl s_client -connect <satelliteip>:<satelliteicingaport>

openssl s_client -connect <masterip>:<mastericingaport>

More on that in the troubleshooting docs.

Cheers,
Michael

Hello Michael,

Sorry, the output are:
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘master.local, 5666’. Please try again.

The previous output was some test that I made…

On satellite node, I don’t have any information zones.conf because I would like to configure this zones.conf via icinga2 node wizard command.

On Master node, I have this inside zones.conf:

// MASTER
object Endpoint “icinga-master” {
host = “xxx.xxx.xxx.xxx”
port = “5666”
}
object Zone “MASTER” {
endpoints = [ “icinga-master” ]
}

// SATELLITE toto
object Endpoint “toto” {
host = “yyy.yyy.yyy.yyy”
port = “5666”
}
object Zone “TOTO” {
endpoints = [ “toto” ]
parent = “MASTER”
}

This is my topology:

topology1473×777 73.5 KB

No, I’ve access on all machine but between my master and the new satellite, there is firewall and I don’t have access to this firewall.

When I execute this commande from satellite to master:

openssl s_client -connect <masterip>:<mastericingaport>

The connection is succesfull.

But when I execute this commande from master to satellite:

openssl s_client -connect <satelliteip>:<satelliteicingaport>

The connection is unsuccesfull with this output:
socket: Bad file descriptor
connect:errno=9

Regards,
Jon

Hello Everyone,

It’s seems that the issue was due to the firewall.
I will check with other client if everything works fine.
I will come back to send you the status.

Thanks for your help

Regards,
Jon