Master and satellite communication issue (certificate issue)

HI Guys,
i have deployed satellite on new cluster but there is one certificate issue i’m facing using selfsigned certificate error and step i gone through are mentioned below if anyone know about this issue please help me to resolve this issue

issue from icinga2 log screenshot

step followed

deployed satelilte container on new cluster

  1. zone.conf added with endpoint and host
  2. using selfsigned certificate like this
    sudo icinga2 pki new-cert --cn 10.20.xx.xx --key /var/lib/icinga2/certs/10.20.xx.xx.key --cert /var/lib/icinga2/certs/10.20.xx.xx.crt
    and the certificate is available in both master and satellite.
  3. signed approved from master node command is icinga2 ca sign
  4. checked ping and telnet from satellite server its working
    please help me if any steps are missed from my side . any additional information required please let me know

Thank you.

I suggest trying the icinga2 node wizard command on the satellite to connect to the existing master.
The wizard will ask for the necessary information that you need to provide and does the rest (config creation, service restart) by itself.
Agent/Satellite Setup on Linux

@log1c thanks for your reply on this issue ,
actually I tried that , and our satellite is container , is this because i’m using self signed certificate would that be the issue? i didn’t configured this satellite before,

Yes, that is the issue.
The communication between the master and the satellite only works if the satellite has a certificate signed by the masters CA.

When I played around a bit with Icinga in containers I used this:

# create cert path with the correct permissions
mkdir -p /var/lib/icinga2/certs
chown -R icinga:icinga /var/lib/icinga2/certs

# create satellite cert
# CN = Hostname des Servers
icinga2 pki new-cert --cn $(hostname --fqdn) --key /var/lib/icinga2/certs/$(hostname --fqdn).key --cert /var/lib/icinga2/certs/$(hostname --fqdn).crt

#### request cert from master
icinga2 pki save-cert --trustedcert /var/lib/icinga2/certs/trusted-parent.crt --host ${IC_MASTER_CN}

# Node Setup for Satelliten
icinga2 node setup --cn $(hostname --fqdn) \
--endpoint ${IC_MASTER_CN} \
--zone ${IC_SAT_ZONE_NAME} \
--parent_zone master \
--parent_host ${IC_MASTER_CN} \
--trustedcert /var/lib/icinga2/certs/trusted-parent.crt \
--accept-commands --accept-config --disable-confd

systemctl restart icinga2

# Afterwards:
# sign satellite cert on master
#   1. icinga2 ca list
#   2. icinga2 ca sign <finerprint for satellit>
# Insert Satellite zone into masters /etc/icinga2/zones.conf
#cat << EOF >> /etc/icinga2/zones.conf
#object Endpoint "${IC_SAT_HOST_NAME}" {
#object Zone "${IC_SAT_ZONE_NAME}" {
#        endpoints = [ "${IC_SAT_HOST_NAME}" ]
#        parent = "master"

thank you i will follow the instruction and update here .