Issues with connecting to director api (401 unauthorized)

Greetings,

I’m having issues with connection to the director-api via curl and hope you can help me :slight_smile:

I’m trying to access the director api like this:
curl -i -u icingaadmin:xxx -H ‘Accept: application/json’ ‘https://icinga2.xyz.com/icingaweb2/director/host?name=TEST

Which results in:
HTTP/2 401
x-powered-by: PHP/7.4.30
www-authenticate: Basic realm=“Icinga Web 2”
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: sameorigin
content-length: 0
content-type: text/html; charset=UTF-8
date: Tue, 19 Jul 2022 14:29:51 GMT
server: Apache

Permissions of my Testuser: (System → Access Control → Audit → icingaadmin → inspect)

I also tried:

  • curl without -H ‘Accept: application/json’ → results in HTTP 302
  • credentials from /etc/icinga2/api-users.conf → also results in 401
  • setting up credentials via director → users (I cant find any properties matching “director/api” as specified in the documentation, so I didn’t look any further
  • Director version (System - About): 1.9.1
  • Icinga Web 2 version and modules (System - About): 2.11.1
  • Icinga 2 version (icinga2 --version): r2.13.4-1
  • Operating System and version: Debian 11.4
  • Webserver, PHP versions: Apache/2.4.54 (Debian), 7.4.30 (shown in icingaweb/about)

Any ideas to what is going wrong?

Thank you in advance.
Best regards
Max

try:
curl -i -u 'icingaadmin:xxx' -H 'Accept: application/json' 'https://icinga2.xyz.com/icingaweb2/director/host?name=TEST'

and keep in mind that you use the right quote sign

Thanks, Good tip but it was a formatting error on my end (only in this thread)
The actual line I used:

curl -i -u 'icingaadmin:xxxx' -H 'Accept: application/json' 'https://icinga2.xyz.com/icingaweb2/director/host?name=TEST'

Any other ideas?

you need icingaweb2 credentials.
an icingaweb2 user that has the permission to do director calls. not a director user, not an api user

Thank you for the reply.
My User icingaadmin is able to login and administer the director via browser
I’ve also tested a different account that was added via https://icinga2.xyz.com/icingaweb2/user/ (full permissions to everything) I’m also able to view and administer the director using this username in my browser. You can also see that in the screenshot of my first post…

I must be doing something wrong for sure, but I don’t know what. Please help… :frowning:

I executed exactly that but with my url and my credetials and it works.

maybe you have some bash unfriendly chars in your password, change it to something easy and try again

I’ve checked that, done that. I’m currently using a password with only alphanum (lowercase) characters
Maybe it’s my apache vhost then, what webserver are you using? And could you be so kind and compare your vhost with my vhost or post yours?

My vhost

<VirtualHost REDACTED>
  ServerName icinga2.REDACTED
  ServerAdmin REDACTED
  SSLEngine On
  SSLProtocol -ALL +TLSv1.2 +TLSv1.3
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem"
  SSLCompression Off
  SSLHonorCipherOrder on
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
  SSLVerifyDepth 10
  SSLCertificateFile /etc/apache2/ssl/icinga2.REDACTED.crt
  SSLCertificateKeyFile /etc/apache2/ssl/icinga2.REDACTED.key
  SSLCACertificateFile /etc/apache2/ssl/icinga2.REDACTED_CA.pem
  SSLCertificateChainFile /etc/apache2/ssl/icinga2.REDACTED_chain.pem
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000"
  </IfModule>
  DocumentRoot "/var/www/webs/REDACTED/icinga2.REDACTED.de"
  FcgidIdleTimeout 30
  SuexecUserGroup "REDACTED" "REDACTED"
  <Directory "/var/www/webs/REDACTED/icinga2.REDACTED.de/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/REDACTED/icinga2.REDACTED.de/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
  Alias /awstats "/var/www/webs/REDACTED/awstats/icinga2.REDACTED.de"
  Alias /awstats-icon "/usr/share/awstats/icon/"
  LogLevel warn
  ErrorLog "/var/www/logs/REDACTED-icinga2.REDACTED-error.log"
  CustomLog "/var/www/logs/REDACTED-icinga2.REDACTED-access.log" combined
Alias /icingaweb2 "/usr/share/icingaweb2/public"
  <Directory "/usr/share/icingaweb2/public">
      <FilesMatch "\.(php)$">
        SetHandler fcgid-script
        FcgidWrapper /var/www/php-fcgi-scripts/REDACTED/icinga2.REDACTED.de/php-fcgi-starter .php
        Options +ExecCGI
      </FilesMatch>
      Options SymLinksIfOwnerMatch
      AllowOverride None
      SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
      EnableSendfile Off
      <IfModule mod_rewrite.c>
          RewriteEngine on
          RewriteBase /icingaweb2/
          RewriteCond %{REQUEST_FILENAME} -s [OR]
          RewriteCond %{REQUEST_FILENAME} -l [OR]
          RewriteCond %{REQUEST_FILENAME} -d
          RewriteRule ^.*$ - [NC,L]
          RewriteRule ^.*$ index.php [NC,L]
      </IfModule>
      <IfModule !mod_rewrite.c>
          DirectoryIndex error_norewrite.html
          ErrorDocument 404 /error_norewrite.html
      </IfModule>
  </Directory>
</VirtualHost>

cant help you with that:
i use the original icingaweb.conf with an ssl enabled vhost

cat /etc/apache2/conf-enabled/icingaweb2.conf
Alias /icingaweb2 "/usr/share/icingaweb2/public"

<Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None

    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

    EnableSendfile Off

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /icingaweb2/
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>

    <IfModule !mod_rewrite.c>
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /error_norewrite.html
    </IfModule>
</Directory>

As an additional note because I set a new server for a new icingamaster using Debian 12, PHP 8.2 as FPM and was searching for the 401 response problem too.

(1)
If using FPM in the Icinga Vhost may need the “forwarding” if authentication information from apache to fpm service

          # for authenticated access to director API
          SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

(2)
In Debian 12 by default not all http methods are allowed. Enable it with a limit section inside the icinga direcrory for icingaweb

          <Directory "/usr/share/icingaweb2/public">
            ...
              # for authenticated access to director API
              <Limit GET HEAD POST PUT DELETE>
                Order allow,deny
                allow from <your-ip-with-director-modification-access>
              </Limit>

              # for web ui access
              <Limit GET HEAD POST>
                Order allow,deny
                Allow from all
              </Limit>

              <LimitExcept GET HEAD POST PUT DELETE>
                Order deny,allow
                Deny from all
              </LimitExcept>
            ...
          </Directory>