Not able to sign ticket in ca list

Hello everybody

Im currently struggeling with adding another host to my master that is located in a DMZ.

The problem:
When ever i create a ticket with "icinga2 pki ticket --cn ‘hostname’ " i get a ticket like “81944461c03731c633f4f94df9882ec90e1095e9” but when i try to sign it doesn#t show up in “icinga2 ca list”.

Can anyone help me?

As addition i have already sign tickets in the past.

Hi @ExeLeNtCrypt,

If you are generating a CSR signing ticket, and specify it during the installation, you do not need to sign the ticket manually, as it is signed automatically when submitted to the Icinga CA node.

Certificate requests will only appear in icinga2 ca list if they are outstanding/unsigned.

1 Like

so i don´t understand it right maybe you can tell me what im doing wrong.
What I did:

  1. $ icinga2 pki ticket --cn ‘msv91-srkome.medical-intern.com‘ 26ebf4526cc2a56bf66db125a36faabaca25379b

  2. PS C:\Program Files\ICINGA2\sbin> .\icinga2.exe node wizard
    Welcome to the Icinga2 Setup Wizard!
    We will guide you through all required configuration details.

    Please specify if this is a satellite/
    client setup (‘n’ installs a master setup) [Y/n]: y

    Starting the Client/Satellite setup routine…

    Please specify the common name (CN) [HOSTNAME.fq.dn]: hostname.fq.dn

    Please specify the parent endpoint(s) (master or satellite) where this node should connect to:

    Master/Satellite Common Name (CN from your master/satellite node): master.fq.dn

    Do you want to establish a connection to the parent node from this node? [Y/n]: n

    Connection setup skipped. Please configure your parent node to

    connect to this node by setting the ‘host’ attribute for the node Endpoint object.

    Add more master/satellite endpoints? [y/N]: n

    No connection to the parent node was specified.

    Please copy the public CA certificate from your master/satellite

    into ‘C:\ProgramData\icinga2\var/lib/icinga2/certs//ca.crt’ before starting Icinga 2.

    Found public CA certificate in ‘C:\ProgramData\icinga2\var/lib/icinga2/certs//ca.crt’.

    Please verify that it is the same as on your master/satellite.

    Please specify the API bind host/port (optional):

    Bind Host []:

    Bind Port []:

    Accept config from parent node? [y/N]: y

    Accept commands from parent node? [y/N]: y

    Reconfiguring Icinga…

    Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.

    Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.

    Done.

    Now restart your Icinga 2 daemon to finish the installation!

  3. Afterwards i put the ca.crt on the client in /certificat-requests

  4. Then I restarted both

Since you didn’t tell the wizard to connect to the parent node, the ticket you generated isn’t actually used for anything. You want the ca in /certs instead of requests. If it can get that far, then you should see an option to sign it on the master.

If you specify to connect to the parent node, it’ll ask you to put that ticket in. Otherwise, it uses the ca.crt you copy over to identify the master and sends a certificate signing request to it when they initially connect.

2 Likes

Hi !

Blake is totally right.

You might try to set the following to from

Do you want to establish a connection to the parent node from this node? [Y/n]: n

to

Do you want to establish a connection to the parent node from this node? [Y/n]: Y

Which is not coincidentally set by default to [Y].

Regards

David

1 Like