I am trying to use an ansible playbook to automate the configuration of a client to my setup. The master is up and running how it should and I am using icinga version r2.10.3-1. I’ve attached my playbook:
-
name: Icinga client setup automation
hosts: all
become: yes
vars:
icinga2_cn: “{{ inventory_hostname }}”
icinga2_master: “master-hostname”
icinga2_pki_path: “/var/lib/icinga2/certs/”
icinga2_hostname: master-hostname-fqdn
icinga2_port: 5665tasks:
- name: Generate a ticket for client on Master
connection: local
shell: icinga2 pki ticket --cn {{ icinga2_cn }} --salt 12345
register: icinga2_ticket- name: Create New Certificates shell: icinga2 pki new-cert --cn {{ icinga2_cn }} --key {{ icinga2_pki_path }}{{ icinga2_cn }} --cert {{ icinga2_pki_path }}{{ icinga2_cn }}.crt - name: Save master certificate shell: icinga2 save-cert --key {{ icinga2_pki_path }}.key --cert {{ icinga2_pki_path }}{{ icinga2_cn }}.crt --trustedcert {{ icinga2_pki_path }}ca.crt --host {{
icinga2_hostname }}
- name: Run the node setup on the client
shell: |
icinga2 node setup \
--endpoint {{ icinga2_hostname }} \
--zone {{ icinga2_cn }} \
--parent_host {{ icinga2_hostname }} \
--trustedcert {{ icinga2_pki_path }}ca.crt \
- name: Restart and enable Icinga service
service:
name: icinga2
state: restarted
enabled: true
My playbook fails on the last task which is the icinga2 node setup and I get the error i mentioned in the title of this post. The error includes " Peer cert does not match trusted cert " and also “Failed to fetch signed cert from parent Icinga node. Please try again.”
One thing i noticed was that when i run the "openssl x509 -text -in " command on the cert for my client for “Issuer” CN is displays my clients hostname when I believe it should display Icinga CN instead so i think this is part of the problem. Any advice to help resolve this problem would be appreciated.