Icinga2 with an existing TLS CA

I am trying to setup Icinga2 for a customer who wants to use only TLS certs signed by his own Root CA.

For the debian machines (configured via Debops/Ansible) we created a separate CA and there is an intermediate SystemCA.

So the chain looks like: RootCA → SystemCA → DebopsCA

Additionally I created a CA “icinga” parallel to the DebopsCA: the customer wants the certs for the other services without Client-usage feature … and I think Icinga needs that (so I enable it for that “profile”.

Within Debops I created the needed pki-Authoritites and pki-realms. I get certs created and deployed.

I configure icinga to use the icinga-CA for its PKI.

But I get trust issues between icinga nodes and master.

When I check the certs etc with “icinga2 pki verify”, I get a strange (to me) picture:

icinga2 pki verify --cert my.crt = OK

icinga2 pki verify --cacert ca.crt = OK

icinga2 pki verify --cert my.crt --cacert ca.crt = not OK →

critical/cli: CRITICAL: Certificate with CN ‘myhost.mydom.tld’ is NOT signed by CA: unable to get issuer certificate (code 2)

The issuer string of the host cert matches the subject string of the ca.cert

What do I miss?

I see the warnings about the deprecated attributes for the paths, but assume that it is not crucial for my issue.

I’ll be happy about any help and will provide more infos if needed.

Yes, I research docs for days now … I am also in contact with the very helpful maintainer of Debops … but I am stuck now.

  • Version used (icinga2 --version) : r2.12.3-1
  • Operating System and version : Debian 11
  • Enabled features (icinga2 feature list) :
Disabled features: command compatlog debuglog elasticsearch gelf graphite icingadb influxdb livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker ido-mysql mainlog notification
  • Config validation (icinga2 daemon -C)
[2021-09-22 11:56:18 +0200] information/cli: Icinga application loader (version: r2.12.3-1)
[2021-09-22 11:56:18 +0200] information/cli: Loading configuration file(s).
[2021-09-22 11:56:18 +0200] information/ConfigItem: Committing config item(s).
[2021-09-22 11:56:18 +0200] warning/ApiListener: Attribute 'key_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2021-09-22 11:56:18 +0200] warning/ApiListener: Attribute 'ca_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2021-09-22 11:56:18 +0200] warning/ApiListener: Attribute 'cert_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2021-09-22 11:56:18 +0200] warning/ApiListener: Please read the upgrading documentation for v2.8: https://icinga.com/docs/icinga2/latest/doc/16-upgrading-icinga-2/
[2021-09-22 11:56:18 +0200] information/ApiListener: My API identity: myhost.mydom.tld
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 5 Zones.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 4 Hosts.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 2 Endpoints.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 ApiUser.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 235 CheckCommands.
[2021-09-22 11:56:18 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2021-09-22 11:56:18 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2021-09-22 11:56:18 +0200] information/cli: Finished validating the configuration file(s).

reading through this now: Own CA for Icinga Cluster/API communication?

I notice that my host-cert does have “DNS: mydom.tld” in the SAN, not the FQDN.

fixed that. no progress, though. For now I remove that icinga-CA to get back to a working state. Maybe my other PKI is also borked.

Hello @sgw!

Sounds like you’ve hit a well-known problem:

Best,
AK