Hi there,
I’ve run into a problem but I’m not sure if this is a bug, or something wrong with our config.
For our Windows servers, we’re trying to use automate the entire process - we’re using the Director self-service API to create the host object, and then another API request to retrieve the ticket.
We have a three tiered architecture - two masters, satellites distributed at a few locations - clients connect to the satellite, and the satellites connect to both masters.
Everything seems to work, until the CA Proxy needs to kick in - the debug logs on the masters are showing that the ticket is invalid, however when I match the ticket to what our API is receiving, it matches.
Client logs:
[2019-08-06 17:01:34 +1000] information/ApiListener: Reconnecting to endpoint 'Satellite' via host '10.1
00.80.15' and port '5665'
[2019-08-06 17:01:34 +1000] information/ApiListener: New client connection for identity 'Satellite' to [
10.100.80.15]:5665
[2019-08-06 17:01:34 +1000] information/ApiListener: Finished reconnecting to endpoint 'Satellite' via h
ost '10.100.80.15' and port '5665'
[2019-08-06 17:01:34 +1000] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint '
Satellite'.
Satellite logs:
[2019-08-06 16:40:43 +1000] information/ApiListener: New client connection for identity 'WindowsServer' from [10.100.80.4]:60479 (certificate validation failed: code 18: self signed certificate)
[2019-08-06 16:40:43 +1000] information/JsonRpcConnection: Received certificate request for CN 'WindowsServer' not signed by our CA.
[2019-08-06 16:40:43 +1000] information/JsonRpcConnection: Certificate request for CN 'WindowsServer' is pending. Waiting for approval.
Secondary master logs:
[2019-08-06 16:40:43 +1000] notice/JsonRpcConnection: Received 'pki::RequestCertificate' message from 'Satellite'
[2019-08-06 16:40:43 +1000] information/JsonRpcConnection: Received certificate request for CN 'WindowsServer' not signed by our CA.
[2019-08-06 16:40:43 +1000] information/JsonRpcConnection: Certificate request for CN 'WindowsServer' is pending. Waiting for approval.
[2019-08-06 16:40:43 +1000] notice/ApiListener: Relaying 'pki::RequestCertificate' message
[2019-08-06 16:40:43 +1000] notice/ApiListener: Sending message 'pki::RequestCertificate' to 'master1'
Primary master (CA) logs:
[2019-08-06 16:43:03 +1000] notice/JsonRpcConnection: Received 'event::Heartbeat' message from 'master2'
[2019-08-06 16:43:03 +1000] notice/JsonRpcConnection: Received 'pki::RequestCertificate' message from 'master2'
[2019-08-06 16:43:03 +1000] information/JsonRpcConnection: Received certificate request for CN 'WindowsServer' not signed by our CA.
[2019-08-06 16:43:03 +1000] warning/JsonRpcConnection: Ticket '2b3296c97f20f3286d5bb0161aa3718911acc32b
' for CN 'WindowsServer' is invalid.
Additionally, running the following command also returns the same ticket:
[root@master1]# icinga2 pki ticket --cn "WindowsServer"
2b3296c97f20f3286d5bb0161aa3718911acc32b
I have also checked in the /var/lib/icinga2/certificate-requests folder, and I can see the correct ticket is in the JSON file.
Does the ticket need to exist before the CSR is submitted? I’m out of ideas as to what could be causing this, because when we manually sign the certificate everything works (certificate gets send back down to the client via the satellite).
Cheers.