Master, Master HA setup and ca.crt

Hi Icinga Community,

I hope you are all fit and healthy and not being driven crazy by the self-isolating.

Here is a question hope someone can answer.

In the icinga docs here: signing-certificates-on-the-master.

The first paragraph reads:

• This CA is generated during the master setup and should be the same on all master instances.

This implies that I should copy /var/lib/icinga2/ca/ca.crt from the PRIMARY MASTER to the SECONDARY MASTER.

Is this correct? I read this comment (https://community.icinga.com/t/icinga2-director-configuration-in-ha-master-setup/2471 on this forum that the ca.crt should only reside on one master (see comments from @dnsmichi)

So my question is… Should I copy the ca.crt to the secondary master?

Kind regards
Peter

Yes please copy the same. Don’t copy anywhere else

Thanks @radioactive9

I copied mstr01:/var/lib/ca/ca.crt to mstr02:/var/lib/ca/ca.crt

I’ve the similar problem where Secondary master icinga2 log shows

critical/SSL: Could not open CA key file '/var/lib/icinga2/ca/ca.key': 33558530, "error:02001002:system library:fopen:No such file or directory"
critical/SSL: Error on bio X509 AUX reading pem file '/var/lib/icinga2/ca/ca.crt': 33558530, "error:02001002:system library:fopen:No such file or directory"

I don’t see any impact. Does anyone know what’s the purpose of having this file on the secondary master and any problem it would cause if it is not there?

Thanks

The contents of /var/lib/icinga2/ca are used for singing certificate requests of other node. Having it only one one master works fine, however you won’t have redundancy for signing new certificates, but this should be tolerable under most circumstances.

This shouldn’t give any errors though, so if you’re using a current version, it might be worth opening an issue over at GitHub.

Thanks for the information. It’s on 2.5.4 so I’m trying to figure out the significance of ‘ca.crt’ on the secondary node since it is showing in the log.