- Director version (System - About): 1.8.0
- Icinga Web 2 version and modules (System - About): 2.9.3
- Icinga 2 version (
icinga2 --version
): 2.13.1-1 - Operating System and version: centos
- Icinga PowerShell Framework v1.6.1
Hello there.
Just stuck with self-service on windows.
what do I have: fresh installation of icinga2, icingaweb2, and director on fresh centos; fresh installation of windows server 2012. Powershell 4.0.
In director, I create a host template, and configure self-service.
On the windows machine, I run the copy-paste from Getting started
[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';
$ProgressPreference = 'SilentlyContinue';
[string]$ScriptFile = 'C:\Users\Public\IcingaForWindows.ps1';
Invoke-WebRequest `
-UseBasicParsing `
-Uri 'https://packages.icinga.com/IcingaForWindows/IcingaForWindows.ps1' `
-OutFile $ScriptFile;
& $ScriptFile
while installation I give: URL of director (), Self-Service API key form host template I created and IP Address of master (I want the win agent will connect to master). I ask the system to register a host for me in director. And the host appears there (endpoint and zone as well). Until this step everything is great.
Now I start the installation, and getting trouble with a certificate or ticket.
Here is the command the icinga for windows shows me as a command, which will install everything:
Install-Icinga -InstallCommand '{"IfW-ParentAddress":{"Values":{"master.localdomain":["192.168.56.100"]}},"IfW-DirectorSelfServiceKey":{"Values":["99dee4e7dcf7460b8195499e1e6773d18ea7b4b8"]},"IfW-DirectorUrl":{"Values":["http://192.168.56.100/icingaweb2/director/"]}}'
and here is the error in the installation process (Entire installation process I will add at the end) :
[Notice]: information/cli: Retrieving TLS certificate for '192.168.56.100:5665'.
Version: 3
Subject: CN = master.localdomain
Issuer: CN = Icinga CA
Valid From: Sep 22 19:42:20 2021 GMT
Valid Until: Sep 18 19:42:20 2036 GMT
Serial: 2f:4b:e8:3e:d4:91:2f:25:5d:5f:0d:34:f8:47:fc:26:d0:59:78:21
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: master.localdomain
Fingerprint: 4E EF 4C 58 98 AA 82 90 1F 3C FC 0C 32 1A 51 D3 B9 9C F2 C7 F4 58 6D AB 0E AF 16 B0 0F 69 44 3A
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt'.
[Error]: Failed to create certificate.
Arguments: pki request --host 192.168.56.100 --port 5665 --ticket 93a054fab617bf14560b976e5f3ec1b4a6326881 --key C:\Prog
ramData\icinga2\var\lib\icinga2\certs\win.localdomain.key --cert C:\ProgramData\icinga2\var\lib\icinga2\certs\win.locald
omain.crt --trustedcert C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt --ca C:\ProgramData\icinga2\var\
lib\icinga2\certs\ca.crt
Error:information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\ca.crt'.
ritical/cli: !!! Invalid ticket for CN 'win.localdomain'.
[Error]: Failed to sign Icinga certificate
[Notice]: Feature "api" was successfully disabled
[Warning]: Your Icinga Agent API feature has been disabled. Please provide either your ca.crt or connect to a parent nod
e for certificate requests. You can run "Install-IcingaAgentCertificates" with your configuration to properly create the
host certificate and a valid certificate request. After this you can enable the API feature by using "Enable-IcingaAgen
tFeature api" and restart the Icinga Agent service "Restart-IcingaService icinga2"
So, it says that it fails to create a certificate… after that an issue with writing the certificate to file.
and, finally, that ticket is invalid.
After this procedure, the directory C:/ProgramData/icinga2/var/lib/certs/ contains ca certificate, which is identical with ca certificate on the master host. the directory contains also trusted-parent.crt
, win.localdomain.crt
and win.localdomain.key
. win.localdomain - is the FQDN of the machine.
this is it.
If I will enable the Agent API feature, I will find on my master that there is a certificate that I can sign (icinga2 ca sign) and If I do that agent will be connected.
The issue is exactly in self-service. It is supposed to sign the certificate for me, but fails, and I cannot get really why.
Many thanks in advance!
Here is the full listing of installation
[Notice]: Starting Icinga for Windows installation
[Notice]: Remote repository "Icinga Stable" was successfully added
[Notice]: Downloading "agent" from "https://packages.icinga.com/IcingaForWindows/stable/agent/Icinga2-v2.13.1-x86_64.msi
"
[Notice]: Installing component "agent" with version "2.13.1" into "C:\Program Files\ICINGA2"
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and wri
table by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and wr
itable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Notice]: Service User "NT AUTHORITY\NetworkService" for service "icinga2" successfully updated
True
[Notice]: Installation of component "agent" with version "2.13.1" was successful.
[Notice]: Successfully backed up Icinga 2 Agent default config
[Notice]: Your hostname was successfully changed to "win.localdomain"
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and wri
table by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and wr
itable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Notice]: Service User "NT Authority\NetworkService" for service "icinga2" successfully updated
[Notice]: Feature "checker" was successfully disabled
[Notice]: Feature "notification" was successfully disabled
[Notice]: Feature "api" was successfully enabled
[Notice]: Api configuration has been written successfully
[Notice]: Generating host certificates for host "win.localdomain"
[Notice]: information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\win.localdomain.key'.
information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\win.localdomain.crt'.
[Notice]: Fetching trusted master certificate from "192.168.56.100"
[Notice]: information/cli: Retrieving TLS certificate for '192.168.56.100:5665'.
Version: 3
Subject: CN = master.localdomain
Issuer: CN = Icinga CA
Valid From: Sep 22 19:42:20 2021 GMT
Valid Until: Sep 18 19:42:20 2036 GMT
Serial: 2f:4b:e8:3e:d4:91:2f:25:5d:5f:0d:34:f8:47:fc:26:d0:59:78:21
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: master.localdomain
Fingerprint: 4E EF 4C 58 98 AA 82 90 1F 3C FC 0C 32 1A 51 D3 B9 9C F2 C7 F4 58 6D AB 0E AF 16 B0 0F 69 44 3A
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt'.
[Error]: Failed to create certificate.
Arguments: pki request --host 192.168.56.100 --port 5665 --ticket 93a054fab617bf14560b976e5f3ec1b4a6326881 --key C:\Prog
ramData\icinga2\var\lib\icinga2\certs\win.localdomain.key --cert C:\ProgramData\icinga2\var\lib\icinga2\certs\win.locald
omain.crt --trustedcert C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt --ca C:\ProgramData\icinga2\var\
lib\icinga2\certs\ca.crt
Error:information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\ca.crt'.
ritical/cli: !!! Invalid ticket for CN 'win.localdomain'.
[Error]: Failed to sign Icinga certificate
[Notice]: Feature "api" was successfully disabled
[Warning]: Your Icinga Agent API feature has been disabled. Please provide either your ca.crt or connect to a parent nod
e for certificate requests. You can run "Install-IcingaAgentCertificates" with your configuration to properly create the
host certificate and a valid certificate request. After this you can enable the API feature by using "Enable-IcingaAgen
tFeature api" and restart the Icinga Agent service "Restart-IcingaService icinga2"
[Notice]: Icinga Agent zones.conf has been written successfully
[Passed]: Icinga Agent service is installed
[Passed]: The specified user "NT AUTHORITY\NetworkService" is allowed to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and wri
table by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and wr
itable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Warning]: The specified directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate"
was not found
[Passed]: Icinga Agent configuration is valid
[Passed]: Icinga Agent debug log is disabled
[Notice]: Restarting service "icinga2"