Invalid Ticket while using Self-Service API

  • Director version (System - About): 1.8.0
  • Icinga Web 2 version and modules (System - About): 2.9.3
  • Icinga 2 version (icinga2 --version): 2.13.1-1
  • Operating System and version: centos
  • Icinga PowerShell Framework v1.6.1

Hello there.
Just stuck with self-service on windows.
what do I have: fresh installation of icinga2, icingaweb2, and director on fresh centos; fresh installation of windows server 2012. Powershell 4.0.

In director, I create a host template, and configure self-service.
On the windows machine, I run the copy-paste from Getting started

[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';
$ProgressPreference                         = 'SilentlyContinue';
[string]$ScriptFile                         = 'C:\Users\Public\IcingaForWindows.ps1';

Invoke-WebRequest `
    -UseBasicParsing `
    -Uri 'https://packages.icinga.com/IcingaForWindows/IcingaForWindows.ps1' `
    -OutFile $ScriptFile;

& $ScriptFile

while installation I give: URL of director (), Self-Service API key form host template I created and IP Address of master (I want the win agent will connect to master). I ask the system to register a host for me in director. And the host appears there (endpoint and zone as well). Until this step everything is great.
Now I start the installation, and getting trouble with a certificate or ticket.

Here is the command the icinga for windows shows me as a command, which will install everything:

Install-Icinga -InstallCommand '{"IfW-ParentAddress":{"Values":{"master.localdomain":["192.168.56.100"]}},"IfW-DirectorSelfServiceKey":{"Values":["99dee4e7dcf7460b8195499e1e6773d18ea7b4b8"]},"IfW-DirectorUrl":{"Values":["http://192.168.56.100/icingaweb2/director/"]}}'

and here is the error in the installation process (Entire installation process I will add at the end) :

[Notice]: information/cli: Retrieving TLS certificate for '192.168.56.100:5665'.

 Version:             3
 Subject:             CN = master.localdomain
 Issuer:              CN = Icinga CA
 Valid From:          Sep 22 19:42:20 2021 GMT
 Valid Until:         Sep 18 19:42:20 2036 GMT
 Serial:              2f:4b:e8:3e:d4:91:2f:25:5d:5f:0d:34:f8:47:fc:26:d0:59:78:21

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   master.localdomain
 Fingerprint:         4E EF 4C 58 98 AA 82 90 1F 3C FC 0C 32 1A 51 D3 B9 9C F2 C7 F4 58 6D AB 0E AF 16 B0 0F 69 44 3A

***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***

information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt'.
[Error]: Failed to create certificate.
Arguments: pki request --host 192.168.56.100 --port 5665 --ticket 93a054fab617bf14560b976e5f3ec1b4a6326881 --key C:\Prog
ramData\icinga2\var\lib\icinga2\certs\win.localdomain.key --cert C:\ProgramData\icinga2\var\lib\icinga2\certs\win.locald
omain.crt --trustedcert C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt --ca C:\ProgramData\icinga2\var\
lib\icinga2\certs\ca.crt
Error:information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\ca.crt'.
 ritical/cli: !!! Invalid ticket for CN 'win.localdomain'.
[Error]: Failed to sign Icinga certificate
[Notice]: Feature "api" was successfully disabled
[Warning]: Your Icinga Agent API feature has been disabled. Please provide either your ca.crt or connect to a parent nod
e for certificate requests. You can run "Install-IcingaAgentCertificates" with your configuration to properly create the
 host certificate and a valid certificate request. After this you can enable the API feature by using "Enable-IcingaAgen
tFeature api" and restart the Icinga Agent service "Restart-IcingaService icinga2"

So, it says that it fails to create a certificate… after that an issue with writing the certificate to file.
and, finally, that ticket is invalid.

After this procedure, the directory C:/ProgramData/icinga2/var/lib/certs/ contains ca certificate, which is identical with ca certificate on the master host. the directory contains also trusted-parent.crt, win.localdomain.crt and win.localdomain.key. win.localdomain - is the FQDN of the machine.
this is it.
If I will enable the Agent API feature, I will find on my master that there is a certificate that I can sign (icinga2 ca sign) and If I do that agent will be connected.
The issue is exactly in self-service. It is supposed to sign the certificate for me, but fails, and I cannot get really why.
Many thanks in advance!

Here is the full listing of installation
[Notice]: Starting Icinga for Windows installation
[Notice]: Remote repository "Icinga Stable" was successfully added
[Notice]: Downloading "agent" from "https://packages.icinga.com/IcingaForWindows/stable/agent/Icinga2-v2.13.1-x86_64.msi
"
[Notice]: Installing component "agent" with version "2.13.1" into "C:\Program Files\ICINGA2"
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and wri
table by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and wr
itable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Notice]: Service User "NT AUTHORITY\NetworkService" for service "icinga2" successfully updated
True
[Notice]: Installation of component "agent" with version "2.13.1" was successful.
[Notice]: Successfully backed up Icinga 2 Agent default config
[Notice]: Your hostname was successfully changed to "win.localdomain"
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and wri
table by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and wr
itable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Notice]: Service User "NT Authority\NetworkService" for service "icinga2" successfully updated
[Notice]: Feature "checker" was successfully disabled
[Notice]: Feature "notification" was successfully disabled
[Notice]: Feature "api" was successfully enabled
[Notice]: Api configuration has been written successfully
[Notice]: Generating host certificates for host "win.localdomain"
[Notice]: information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\win.localdomain.key'.
information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\win.localdomain.crt'.
[Notice]: Fetching trusted master certificate from "192.168.56.100"
[Notice]: information/cli: Retrieving TLS certificate for '192.168.56.100:5665'.

 Version:             3
 Subject:             CN = master.localdomain
 Issuer:              CN = Icinga CA
 Valid From:          Sep 22 19:42:20 2021 GMT
 Valid Until:         Sep 18 19:42:20 2036 GMT
 Serial:              2f:4b:e8:3e:d4:91:2f:25:5d:5f:0d:34:f8:47:fc:26:d0:59:78:21

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   master.localdomain
 Fingerprint:         4E EF 4C 58 98 AA 82 90 1F 3C FC 0C 32 1A 51 D3 B9 9C F2 C7 F4 58 6D AB 0E AF 16 B0 0F 69 44 3A

***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***

information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt'.
[Error]: Failed to create certificate.
Arguments: pki request --host 192.168.56.100 --port 5665 --ticket 93a054fab617bf14560b976e5f3ec1b4a6326881 --key C:\Prog
ramData\icinga2\var\lib\icinga2\certs\win.localdomain.key --cert C:\ProgramData\icinga2\var\lib\icinga2\certs\win.locald
omain.crt --trustedcert C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt --ca C:\ProgramData\icinga2\var\
lib\icinga2\certs\ca.crt
Error:information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\ca.crt'.
 ritical/cli: !!! Invalid ticket for CN 'win.localdomain'.
[Error]: Failed to sign Icinga certificate
[Notice]: Feature "api" was successfully disabled
[Warning]: Your Icinga Agent API feature has been disabled. Please provide either your ca.crt or connect to a parent nod
e for certificate requests. You can run "Install-IcingaAgentCertificates" with your configuration to properly create the
 host certificate and a valid certificate request. After this you can enable the API feature by using "Enable-IcingaAgen
tFeature api" and restart the Icinga Agent service "Restart-IcingaService icinga2"
[Notice]: Icinga Agent zones.conf has been written successfully
[Passed]: Icinga Agent service is installed
[Passed]: The specified user "NT AUTHORITY\NetworkService" is allowed to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\Net
workService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and wri
table by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and wr
itable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Warning]: The specified directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate"
was not found
[Passed]: Icinga Agent configuration is valid
[Passed]: Icinga Agent debug log is disabled
[Notice]: Restarting service "icinga2"

Update to Icinga Director 1.8.1.

1 Like