Master and satellite communication issue (certificate issue)

pranavmurali1994 · November 17, 2022, 7:09am

HI Guys,
i have deployed satellite on new cluster but there is one certificate issue i’m facing using selfsigned certificate error and step i gone through are mentioned below if anyone know about this issue please help me to resolve this issue

issue from icinga2 log screenshot

step followed

deployed satelilte container on new cluster

zone.conf added with endpoint and host
using selfsigned certificate like this
sudo icinga2 pki new-cert --cn 10.20.xx.xx --key /var/lib/icinga2/certs/10.20.xx.xx.key --cert /var/lib/icinga2/certs/10.20.xx.xx.crt
and the certificate is available in both master and satellite.
signed approved from master node command is icinga2 ca sign
checked ping and telnet from satellite server its working
please help me if any steps are missed from my side . any additional information required please let me know

Thank you.

log1c · November 21, 2022, 12:51pm

I suggest trying the icinga2 node wizard command on the satellite to connect to the existing master.
The wizard will ask for the necessary information that you need to provide and does the rest (config creation, service restart) by itself.
Agent/Satellite Setup on Linux

pranavmurali1994 · November 22, 2022, 4:58am

@log1c thanks for your reply on this issue ,
actually I tried that , and our satellite is container , is this because i’m using self signed certificate would that be the issue? i didn’t configured this satellite before,

log1c · November 23, 2022, 7:30am

Yes, that is the issue.
The communication between the master and the satellite only works if the satellite has a certificate signed by the masters CA.

When I played around a bit with Icinga in containers I used this:

# create cert path with the correct permissions
mkdir -p /var/lib/icinga2/certs
chown -R icinga:icinga /var/lib/icinga2/certs

# create satellite cert
# CN = Hostname des Servers
icinga2 pki new-cert --cn $(hostname --fqdn) --key /var/lib/icinga2/certs/$(hostname --fqdn).key --cert /var/lib/icinga2/certs/$(hostname --fqdn).crt

#### request cert from master
IC_MASTER_IP="1.2.3.4"
IC_MASTER_CN="host.name"
icinga2 pki save-cert --trustedcert /var/lib/icinga2/certs/trusted-parent.crt --host ${IC_MASTER_CN}

# Node Setup for Satelliten
IC_SAT_ZONE_NAME="your-satellite-zone-name-here"
icinga2 node setup --cn $(hostname --fqdn) \
--endpoint ${IC_MASTER_CN} \
--zone ${IC_SAT_ZONE_NAME} \
--parent_zone master \
--parent_host ${IC_MASTER_CN} \
--trustedcert /var/lib/icinga2/certs/trusted-parent.crt \
--accept-commands --accept-config --disable-confd

systemctl restart icinga2

###
# Afterwards:
# sign satellite cert on master
#   1. icinga2 ca list
#   2. icinga2 ca sign <finerprint for satellit>
#
# Insert Satellite zone into masters /etc/icinga2/zones.conf
#
#IC_SAT_ZONE_NAME=""
#IC_SAT_HOST_NAME=""
#cat << EOF >> /etc/icinga2/zones.conf
#object Endpoint "${IC_SAT_HOST_NAME}" {
#}
#
#object Zone "${IC_SAT_ZONE_NAME}" {
#        endpoints = [ "${IC_SAT_HOST_NAME}" ]
#        parent = "master"
#}
#EOF
###

pranavmurali1994 · November 23, 2022, 9:05am

@log1c
thank you i will follow the instruction and update here .