Initialize Agent via Satellite with Master certificate

Hi,

I’ve a master instance with some restrict firewall settings. That master has some satellites and some of that satellites have a VPN connection to some agents in separate LANs.

Today I’ve the first time, that a new agent on a new system has no public IP but for my setup the certificate chain I’m using:

icinga2 pki save-cert
–key /etc/icinga2/pki/{{ inventory_hostname }}.key
–cert /etc/icinga2/pki/{{ inventory_hostname }}.crt
–trustedcert /etc/icinga2/pki/trusted-master.crt
–host {{ monitoring_master_hostname }}
–port {{ monitoring_master_port }}

Where monitoring_master is the the real master DNS. But - because of the dynamic IP of the agent and the firewall restriction I cannot get the certificate. Similar problem later in the next step is

icinga2 pki request
–host {{ monitoring_master_hostname }}
–port {{ monitoring_master_port }}
–ticket {{ icinga_ticket }}
–key /etc/icinga2/pki/{{ inventory_hostname }}.key
–cert /etc/icinga2/pki/{{ inventory_hostname }}.crt
–trustedcert /etc/icinga2/pki/trusted-master.crt
–ca /etc/icinga2/pki/ca.key

So, the agent on a PC somewhere in the internet needs to talk to the master during setup. Later, it retrieves the commands and checks etc. pp always from the satellite. I’m not really sure about the documentation here.

Is it possible to not use the master address but the satellite, to create that client certificate or do I always need to call the master?

icinga2 has a feature named ca-proxy

the /etc/icinga2/features-available/api.conf must allow the incoming request, but I think it is enabled by default on all agents, so every agent can act as a CA-Proxy

Hmm, ok, 2017 - didnt know that. Thanks.
Because I’m using Ansible to setup Icinga I cannot use the node wizard, but “CA Proxy” gives me the hint to look for more details on the web. When I have succes, I’ll post the commands here for future searches. Thanks.

Ok, it works. Just replacing master with satellite hostname and the certificate comes from satellite and is accepted from satellite. I was wondering a while because of the chain, but I think, for the agent, only the next hop is relevant. Because it trusts the satellite certificate or it trusts the master certificate and the satellite certificate is signed by the master certificate. In both cases the configuration is forwarded via mTLS to the agent.

Sadly it’s difficult to show here a complete example, but I replaced only monitoring_master_hostname with monitoring_parent_hostname, which is the satellite in front of the agent and then it works. The agent certificate is signed by the parent/satellite (i can see it in the list of icinga2 ca list --all)