Icinga2 service doesn't start after API Setup: Error on bio X509 AUX reading pem file

Hi,

I’m relatively new to Icinga. My Server is a Ubuntu 18.04 on an Azure VM.

I was trying to enable the API feature via icinga2 api setup like it is described in the book I’m using to get to know Icinga a little better (Book title: Icinga 2 - Ein praktischer Einstig ins Monitoring).

Restarting the icinga2 daemon after the setup fails in a similar way as is described here under Current Behavior.

Jun 11 10:04:09 mon-master01 systemd[1]: Starting Icinga host/service/network monitoring system...
-- Subject: Unit icinga2.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit icinga2.service has begun starting up.
Jun 11 10:04:09 mon-master01 icinga2[104515]: [2019-06-11 10:04:09 +0000] information/cli: Icinga application loader (version: r2.10.5-1)
Jun 11 10:04:09 mon-master01 icinga2[104515]: [2019-06-11 10:04:09 +0000] information/cli: Loading configuration file(s).
Jun 11 10:04:09 mon-master01 icinga2[104515]: [2019-06-11 10:04:09 +0000] information/ConfigItem: Committing config item(s).
Jun 11 10:04:09 mon-master01 icinga2[104515]: [2019-06-11 10:04:09 +0000] critical/SSL: Error on bio X509 AUX reading pem file '/var/lib/icinga2/certs//filename.crt': 33558530, "error:02001002:system library:fopen:No such file or directory"
Jun 11 10:04:09 mon-master01 icinga2[104515]: [2019-06-11 10:04:09 +0000] critical/config: Error: Cannot get certificate from cert path: '/var/lib/icinga2/certs//filename.crt'.
Jun 11 10:04:09 mon-master01 icinga2[104515]: Location: in /etc/icinga2/features-enabled/api.conf: 4:1-4:24
Jun 11 10:04:09 mon-master01 icinga2[104515]: /etc/icinga2/features-enabled/api.conf(2):  * The API listener is used for distributed monitoring setups.
Jun 11 10:04:09 mon-master01 icinga2[104515]: /etc/icinga2/features-enabled/api.conf(3):  */
Jun 11 10:04:09 mon-master01 icinga2[104515]: /etc/icinga2/features-enabled/api.conf(4): object ApiListener "api" {
Jun 11 10:04:09 mon-master01 icinga2[104515]:                                            ^^^^^^^^^^^^^^^^^^^^^^^^
Jun 11 10:04:09 mon-master01 icinga2[104515]: /etc/icinga2/features-enabled/api.conf(5):
Jun 11 10:04:09 mon-master01 icinga2[104515]: /etc/icinga2/features-enabled/api.conf(6):   ticket_salt = TicketSalt
Jun 11 10:04:09 mon-master01 icinga2[104515]: [2019-06-11 10:04:09 +0000] critical/config: 1 error
Jun 11 10:04:09 mon-master01 systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE
Jun 11 10:04:09 mon-master01 systemd[1]: icinga2.service: Failed with result 'exit-code'.
Jun 11 10:04:09 mon-master01 systemd[1]: Failed to start Icinga host/service/network monitoring system.
-- Subject: Unit icinga2.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit icinga2.service has failed.
--
-- The result is RESULT.

The .crt and .key file exist at the expected location and are also not empty (not sure how i can verify the content of those files).
I also tried to extend the permissions on the files without success.

Version used: r2.10.5-1
OS: Linux Ubuntu 18.04.2 LTS (Kernel Version: 4.18.0-1018-azure)
Enabled features: api checker ido-pgsql mainlog notification

You can read a certificate using openssl x509 -text -in /var/lib/icinga2/certs//filename.crt

If this returns something that looks valid, something else is up.

Thanks for your help. Output is as follows:

140062614897088:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

I’m not really sure what to do with this information except googling it. I try to solve it by myself but if anybody knows what to do with this information I’m thankful for every help i can get

Your certificate is most clearly broken. Which page in the book did you find the commands in? I have a copy here.

Or better, for anyone with a similar problem: Could you describe what you did and which outputs you received if they are still there.

I was running icinga2 api setup (page 23) and remember the first time it didn’t work, so i just ran it again and it finished like this:

information/cli: Generating new CA.
critical/cli: CA files '/var/lib/icinga2/ca//ca.crt' and '/var/lib/icinga2/ca//ca.key' already exist.
warning/cli: Found CA, skipping and using the existing one.
information/cli: Private key file '/var/lib/icinga2/certs//filename.key' already exists, not generating new certificate.
information/cli: API user config file '/etc/icinga2/conf.d/api-users.conf' already exists, not creating config file.
information/cli: Enabling the 'api' feature.
warning/cli: Feature 'api' already enabled.
information/cli: Updating 'NodeName' constant in '/etc/icinga2/constants.conf'.
information/cli: Backup file '/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating 'ZoneName' constant in '/etc/icinga2/constants.conf'.
information/cli: Backup file '/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Sadly I can’t recall the output of the first (failed) setup. Can i roll back the setup somehow and simply try again?

If this is your current only setup you can safely delete everything in /var/lib/icinga2/ca/ and /var/lib/icinga2/certs and run api setup again

1 Like

So I deleted the directories and tried to execute icinga2 api setup again and i got an error that some stirng is too long. I found the following two threads for that new information:

When using api setup: critical/SSL: Error with x509 NAME: string too long
Hostname change not recognized

With this and a clean installation of icinga2 after changing the hostname to a shorter one solved my problem.
Thank you for helping me through this :slight_smile:

much appreciated

1 Like