Hello Everyone,
I’ve an icinga topology like this:
Master --> satellite --> client
My Master use the port 5666 to communicate with each satellite and everything works as expected.
For firewall reason, I would like to make a new satellite but I would like to use the port 8080 to communicate with my Master.
First, I’ve made this iptable on Master:
iptables -t nat -I PREROUTING 1 -i ens5 -p tcp --dport 8080 -j REDIRECT --to-port 5666
Second, I’ve made this iptable on the new Satellite (Where MASTER_IP is the ip of the master of course)
iptables -t nat -D OUTPUT -p tcp --destination MASTER_IP --dport 5666 -j DNAT --to-destination MASTER_IP:8080
There is only those 2 iptables inside my infrastructure, everything are set with ACCEPT policy.
If I make telnet commande from satellite to master on port 8080, it’s seems to be ok.
So I start to make my sattelite configuration with “icinga2 node wizard”, this is the output:
Welcome to the Icinga 2 Setup Wizard!
We will guide you through all required configuration details.
Please specify if this is an agent/satellite setup (‘n’ installs a master setup) [Y/n]: Y
Starting the Agent/Satellite setup routine…
Please specify the common name (CN) [toto.local]: toto
Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): icinga-master
Do you want to establish a connection to the parent node from this node? [Y/n]: Y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): master.local
Master/Satellite endpoint port [5665]: 5666
Add more master/satellite endpoints? [y/N]: N
Parent certificate information:
Subject: CN = icinga-master
Issuer: CN = Icinga CA
Valid From: May 31 09:37:39 2019 GMT
Valid Until: May 27 09:37:39 2034 GMT
Fingerprint: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘toto’): 741e4c833e8e09f1596452bdaa9f8880f4b09cdb
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘master.local, 8080’. Please try again.
I’ve checked the log on my Master and I found this:
[2020-02-05 13:22:22 +0100] information/ApiListener: New client connection for identity ‘toto’ from [xxx.xxx.xxx.xxx]:17428 (certificate validation failed: code 18: self signed certificate)
[2020-02-05 13:22:22 +0100] warning/ApiListener: No data received on new API connection from [xxx.xxx.xxx.xxx]:17428 for identity ‘toto’. Ensure that the remote endpoints are properly configured in a cluster setup.
I searched on the support community and some guys speak about the version of icinga that was to old.
My version of icinga is: (version: 2.11.2-1)
I also checked into the CA list on my Master but nothing is present.
I suspect that my iptable are not complet but I don’t know what I missed.
Can someone help me ?
I know that Michael Friedrich don’t like to use the iptables to change the communication between Master and Satellites
So My second question is, there is a way to make a Master with 2 differents ports to communicate with 2 differents satellites ?
I haven’t found nothing about the communication on 2 differents ports to communicate with 2 differents satellites without using iptables.
Thanks for your help.
Regards,
Jon