Icinga2 satellite chain setup

I success to create master->satellite->agente. I tried to create a master->satellite1->satellite2->agente. When I refer satellite1 as parent for satellite2 i got error when the Wizard tried to validaded the CA certs. Please, let me know what I misunderstood.


Please, let us know what the error message said.

I have set up Master → Satellite → Satellite → Agent systems and it
works, so there is nothing wrong with your basic idea (even though this
arrangement does not appear in the standard documentation).


Did you copy the master’s CA cert to the satellite 2 before the setup?

That is not necessary. When correctly configured, the Agent sends the
certificate signing request to Satellite2, which passes it on to Satellite1,
which passes it on to the Master, where it can be signed, and the resulting
certificate gets sent back to the Agent.

It is precisely the same as Master - Satellite - Agent (where you do not put
the Master certificate onto the Satellite), just with one extra level of
redirection / forwarding.


And how is your agent setup supposed to trust the satellite2? I thought, one builds the chain of trust by copying the master’s CA cert.

Sorry, I meant to put the CA cert on the agent, not the satellite but I guess it is already there as your satellites trust the master.

Apologies - I was not thinking straight when I said that :frowning:

You are completely correct - each machine does need to have the Master CA
installed under /var/lib/icinga2/certs/ca.crt (on Debian systems, anyway,
maybe elsewhere on other distros).

Sorry for the confusion.


Don’t worry, your post helped me to rethink and make my statement more precise as I was confusing satellite2 and agent.

Hi team, just to let you know. I rebuild my setup I did not get the error any more so for sure did something wrong. Thanks for all the replies.

1 Like