Node wizard has no support for existing TLS certificate

My company is a telecommunications company and we have to sign a TLS certificate in order for the phones to work on the server. We are trying to set up distributed monitoring Master->client if I run the icinga2 node wizard on a bare minimum install of centos7 it works without a problem however if I run the icinga2 node wizard on one of our phone servers I get the error(see ticket below)

We have around 400 phone servers right now and we want to install monitoring on all of them but with them already having a TLS certificate I am unsure of what to do.

Is there a guide out there that will show me how to manually do the process without the wizard?

Here is the issue posted on github https://github.com/Icinga/icinga2/issues/7619

Describe the bug

If a TLS self-signed certificate already exist then the wizard will fail with
critical/cli: Failed to create new self-signed certificate for CN ‘xxx.xxx.xxx.xxx’. Please try again.

To Reproduce

1. Create a new bare minimum centos
2. Create a TLS self-signed certificate
3. Run icinga2 node wizard

Expected behavior

There should be an option to use an existing certificate. My company is trying to setup monitoring on our phone servers and the phones use a TLS certificate thatss on the server so we can’t just create a new one we need the option to use the one that already exists.

Hi,

while you can use your own CA, I would not recommend it, have a read here:

I don’t understand the following statement:

Why is it a blocker to have multiple certificates on one server? Each certificate is used for its own purpose, e.g. for enabling TLS (SSL) on web-servers, mail gateways or for Icinga 2 cluster communication.

For example you have one certificate for a web server in /etc/nginx/ssl/cert.crt. There isn’t a problem to have another one solely for Icinga 2. Icinga 2 will create the certificate in the /var/lib/icinga2/certs, so your web server certificate is never touched by Icinga 2.

There are commands to create and sign the certificate and CSR manually, have a look here:
https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/#manual-certificate-creation

Best regards
Michael

Over the last few hours I have realized that the issue is within the iso being installed. Our phone servers have a custom iso based on centos7. I can sign a apache certificate with openssl however icinga node wizard fails. I havent been able to figure out why and it doesnt appear to give me any further information as to why its failing then the above error

Doing it manually this is what happens upon setup(sensitive info has been scrubbed)

[root@localhost ~]# icinga2 node setup --ticket xxxx \

–cn qube2
–endpoint xxxxx
–zone qube2
–parent_zone master
–parent_host xxxx
–trustedcert /var/lib/icinga2/certs/trusted-parent.crt
–accept-commands --accept-config
–disable-confd
information/cli: Requesting certificate with ticket ‘xxxxxx’.
information/cli: Verifying parent host connection information: host ‘xxxxxx’, port ‘5665’.
information/cli: Using the following CN (defaults to FQDN): ‘qube2’.
information/cli: Backup file ‘/var/lib/icinga2/certs//qube2.key.orig’ already exists. Skipping backup.
information/base: Writing private key to ‘/var/lib/icinga2/certs//qube2.key’.
critical/cli: Failed to generate new self-signed certificate.

Update the issue was due to the system I was on having an older kernel version upgrading the kernel worked

So your issue is solved? Could you check the “Solution” checkbox then it shows other users that you don’t need any more help and they won’t read through the whole thread just to find that it was solved already.

Welcome, by the way. I’m happy that your issue was solved. Have fun with Icinga!