Hi,
I’ve a master instance with some restrict firewall settings. That master has some satellites and some of that satellites have a VPN connection to some agents in separate LANs.
Today I’ve the first time, that a new agent on a new system has no public IP but for my setup the certificate chain I’m using:
icinga2 pki save-cert
–key /etc/icinga2/pki/{{ inventory_hostname }}.key
–cert /etc/icinga2/pki/{{ inventory_hostname }}.crt
–trustedcert /etc/icinga2/pki/trusted-master.crt
–host {{ monitoring_master_hostname }}
–port {{ monitoring_master_port }}
Where monitoring_master is the the real master DNS. But - because of the dynamic IP of the agent and the firewall restriction I cannot get the certificate. Similar problem later in the next step is
icinga2 pki request
–host {{ monitoring_master_hostname }}
–port {{ monitoring_master_port }}
–ticket {{ icinga_ticket }}
–key /etc/icinga2/pki/{{ inventory_hostname }}.key
–cert /etc/icinga2/pki/{{ inventory_hostname }}.crt
–trustedcert /etc/icinga2/pki/trusted-master.crt
–ca /etc/icinga2/pki/ca.key
So, the agent on a PC somewhere in the internet needs to talk to the master during setup. Later, it retrieves the commands and checks etc. pp always from the satellite. I’m not really sure about the documentation here.
Is it possible to not use the master address but the satellite, to create that client certificate or do I always need to call the master?