Thank you both for the replies
Ok, that way is a lot of individual work but I will try it, if there is no integrated way with the icinga2 node setup
Yes that was my hope. So we tried it today with that:
icinga2 node setup \
--cn $CN \
--endpoint $ENDPOINT \
--endpoint $ENDPOINT2 \
--zone $CN \
--parent_zone master \
--parent_host $MASTER \
--trustedcert /var/lib/icinga2/certs/trusted-parent.crt \
--accept-commands --accept-config \
but we got the following error:
information/cli: Verifying parent host connection information: host 'master1.domain.com', port '5665'.
information/cli: Using the following CN (defaults to FQDN): 'agent-server.domain.com'.
information/cli: Backup file '/var/lib/icinga2/certs//agent-server.domain.com.key.orig' already exists. Skipping backup.
information/cli: Backup file '/var/lib/icinga2/certs//agent-server.domain.com.crt.orig' already exists. Skipping backup.
information/base: Writing private key to '/var/lib/icinga2/certs//agent-server.domain.com.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/certs//agent-server.domain.com.crt'.
information/cli: Verifying trusted certificate file '/var/lib/icinga2/certs/trusted-parent.crt'.
information/cli: Requesting a signed certificate from the parent Icinga node.
critical/cli: Cannot connect to host 'master1.domain.com' on port '5665'
critical/cli: Failed to fetch signed certificate from parent Icinga node 'master1.domain.com, 5665'. Please try again.
So for me it looks like the server would need to conntect the master once to request the signed certificate?