does anybody know if there is a way to make a node setup for a agent without a connection from the agent to the master? We would like to only allow the connection from the master to the agent node what works pretty well for the monitoring but I can not find a way to make the node setup without a connection from the agent node to the master cluster once?
and then copy the certificate and the key into /var/lib/icinga2/certs on the agent node
The ca.crt from /var/lib/icinga2/ca may be needed as well.
Make sure that the cn in the certificate matches the fqdn of the machine and the certs are readable for icinga2.
After that, write a proper constants.conf and zones.conf and you are all set.
try it with manually with node wizard on the agent and see if that works. I’am pretty sure your parameters are wrong, as you need to tell the setup that you want to use the CAProxy Feature somehow… I’am only using the Agent on Windowsservers with the powershell framework/module, so the parameters are different.
If you omit the --parent_host parameter, the CLI command will not attempt to connect to the parent endpoint for sending the signing request. Instead, you are asked to put the public ca.crt manually into /var/lib/icinga2/certs. The same method exists within the node wizard CLI command.
Excerpt from the CLI command code:
/* If no parent connection was made, the user must supply the ca.crt before restarting Icinga 2.*/
if (!connectToParent) {
Log(LogWarning, "cli")
<< "No connection to the parent node was specified.\n\n"
<< "Please copy the public CA certificate from your master/satellite\n"
<< "into '" << ca << "' before starting Icinga 2.\n";
} else {
Log(LogInformation, "cli", "Make sure to restart Icinga 2.");
}
The --endpoint parameter takes care of adding the Endpoint name and host attribute, this isn’t done via --parent_host parameter in this specific case.
seems like I don’t need the CAProxy because I don’t work with a satellite.
Thanks that worked for the node setup I also could sign the fingerprint, but now I get some errors on the master:
information/ApiListener: Reconnecting to endpoint 'agent-server.domain.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
warning/ApiListener: Certificate validation failed for endpoint 'agent-server.domain.com': code 18: self signed certificate
information/ApiListener: New client connection for identity 'agent-server.domain.com' to [xxx.xxx.xxx.xxx]:5665 (certificate validation failed: code 18: self signed certificate)
information/ApiListener: Finished reconnecting to endpoint 'agent-server.domain.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
information/JsonRpcConnection: Received certificate request for CN 'agent-server.domain.com' not signed by our CA.
information/JsonRpcConnection: Sending certificate response for CN 'agent-server.domain.com' to endpoint 'agent-server.domain.com'.
warning/JsonRpcConnection: API client disconnected for identity 'agent-server.domain.com'
with a icinga2 ca list --all I can see the signed Fingerprint, seems like I have to wait for the server admin to look in his log…
Not so easy if you have no rights to the agent server but after a second restart of the icinga2 service on Agent now it works maybe the Agent needs a restart after signing the fingerprint?
But great that it now works, thank you all for your help!
@dnsmichi Do you know what icinga2 version is needed on a agent to use this way?
AFAIK 2.9 added the connection-less mode to node setup, and normally a restart is not necessary with reloading the TLS certificates in memory. But if it helps, why not.
I wouldn’t recommend to use agents older than 2.11 anyways, granted that the master is uptodate with 2.11.2.
Hi, i have the same problem that the restart is required, good to know that it exists on Linux too:
Its a problem, because if someone installs the agent via autodeploy and he has no access to Icinga, he needs to wait until the csr is signed and then he needs to restart the service. So we always have the problem, that two teams need to wait on each other.
I’m dealing with the same problem right now. For security reasons only the master can connect to the agent but the connection from agent to master is blocked by the firewall. So the agent can’t fetch a certificate from the master.
The agent node is running on Windows Server 2016. We don’t have satellites, just a master and several agent nodes.
I’ve tried the following based on that topic:
1. Manually created the certificate on the master and signed it
2. Copied those files on the agent node inC://ProgramData/icinga2/var/lib/icinga2/certs 3. From the master copied/var/lib/icinga2/ca.crtinto the same folder on agent node 4. Restart icinga service on agent node
Done.
But the service is not listening on port 5665.
I know using the wizard you can activate TCP Listener and choose on which port to listen for connections from the master and also tick boxes to accept commands+config from master.
For example a telnet on port 5665 is not working (connection refused) but checking tcp dump on the FW shows that the master talks to the agent regularly
10:18:06.754847 IP master.node.31481 > agent.node.5665: S 1204321524:1204321524(0) win 64240 <mss 1460,sackOK,timestamp 2249854973 0,nop,wscale 7>
10:15:49.455990 IP agent.node.5665 > master.node.59786: R 0:0(0) ack 4132253520 win 0
I’m quite new to icinga and still learning a lot. It would be very appreciated if someone can push me in the right direction.
Hi Yonas, thanks for the quick reply. the api feature wasn’t enabled, so I did and restarted icinga2. The following features are enabled now: api, mainlog, notifications
It’s still not working. Do I miss any other api settings?
So what exactly is the error you’re getting now? Unfortunately, it’s hard to say what you’re missing now without seeing the actual error. Could you please share the relevant log entries from both Icinga endpoints here.
EDIT:
Since this topic is quite old, I would suggest you to create a new one and have this topic linked there…