Problem with icinga2 ca list

Icinga 2
,
1

Hello monitoring masters,

I have added around 15 hosts to icinga longer time ago and everything work nicely.

Now I need to add some more hosts and it doesn’t work for me right now. When I type icinga2 ca list nowadays, it shows only “new” hosts. Those new doesn’t work and I am not able to connect them via Icinga Director.

 [root@myczvl0 david]# icinga2 ca list
Fingerprint                                                      | Timestamp                | Signed | Subject
-----------------------------------------------------------------|--------------------------|--------|--------
e07cca27094543a526e36145882495XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Mar  1 09:09:29 2019 GMT |        | CN = 0bxxxxxxx.ux.mbid.cz
ee6e3cbbcf456c136e81bdcc4725c0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Mar 22 15:10:41 2019 GMT |        | CN = 6axxxxxxx.ux.mbid.cz

It used to show all my hosts that are still working in GUI.

[root@myczvl0 david]# icinga2 ca list
  
Fingerprint                                                      | Timestamp                | Signed | Subject
-----------------------------------------------------------------|--------------------------|--------|--------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 01:51:34 2018 GMT | *      | CN = xxxxxxxxxxdigd2.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 02:27:22 2018 GMT | *      | CN = xxxxxxxxxxdigd5.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 02:09:26 2018 GMT | *      | CN = xxxxxxxxxxdig4o.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 01:40:01 2018 GMT | *      | CN = xxxxxxxxxxdigd1.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 02:15:59 2018 GMT | *      | CN = xxxxxxxxxxdigd4.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 02:21:42 2018 GMT | *      | CN = xxxxxxxxxxxig5o.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 12:32:50 2018 GMT | *      | CN = xxxxxxxxxxelas1.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 16 15:46:24 2018 GMT |        | CN = xxxxxxxxxxbibl1.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 01:57:50 2018 GMT | *      | CN = xxxxxxxxxxdigd3.ux.mbid.cz
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | Nov 14 01:16:50 2018 GMT | *      | CN = xxxxxxxxxxdig00.ux.mbid.cz

I am not sure if two running processes are OK.

[root@myczvl0 david]# ps ax |grep icinga
19232 pts/4    R+     0:00 grep icinga
28472 ?        S      0:01 /usr/lib64/icinga2/sbin/icinga2 --no-stack-rlimit daemon -c /etc/icinga2/icinga2.conf -d -e /var/log/icinga2/error.log
28476 ?        Ssl    1:14 /usr/lib64/icinga2/sbin/icinga2 --no-stack-rlimit daemon -c /etc/icinga2/icinga2.conf -d -e /var/log/icinga2/error.log

I also tried to show process tree but it looks good to me.

[root@myczvl0 david]# pstree -l
init─┬─BESClient───5*[{BESClient}]
     ├─DCRobot.test.sh───java─┬─sar───sadc
     │                        └─23*[{java}]
     ├─atd
     ├─auditd───{auditd}
     ├─automount───4*[{automount}]
     ├─carbon-cache.py───2*[{carbon-cache.p}]
     ├─certmonger
     ├─chronyd
     ├─crond
     ├─dbus-daemon
     ├─dsmcad───2*[{dsmcad}]
     ├─httpd─┬─26*[httpd]
     │       └─2*[rotatelogs]
     ├─icinga2───6*[check_ping───ping]
     ├─icinga2───34*[{icinga2}]
     ├─irqbalance
     ├─midaemon
     ├─6*[mingetty]
     ├─mysqld_safe───mysqld───18*[{mysqld}]
     ├─nginx───2*[nginx]
     ├─oddjobd
     ├─ovcd─┬─agtrep───5*[{agtrep}]
     │      ├─ompolparm───9*[{ompolparm}]
     │      ├─opcacta───3*[{opcacta}]
     │      ├─opcle───{opcle}
     │      ├─opcmona───14*[{opcmona}]
     │      ├─opcmsga───12*[{opcmsga}]
     │      ├─opcmsgi───{opcmsgi}
     │      ├─ovbbccb───8*[{ovbbccb}]
     │      ├─ovconfd───10*[{ovconfd}]
     │      ├─rtmd───2*[{rtmd}]
     │      └─29*[{ovcd}]
     ├─ovirt-guest-age───3*[{ovirt-guest-ag}]
     ├─perfd───3*[{perfd}]
     ├─php-fpm───15*[php-fpm]
     ├─python─┬─python─┬─ptymonitor───bash
     │        │        └─12*[{python}]
     │        └─{python}
     ├─qemu-ga
     ├─rpc.statd
     ├─rpcbind
     ├─scopeux
     ├─2*[screen───2*[bash]]
     ├─2*[sendmail]
     ├─sshd───sshd───sshd───bash───sudo───root───pstree
     ├─sssd─┬─sssd_be
     │      ├─sssd_nss
     │      ├─sssd_pac
     │      ├─sssd_pam
     │      ├─sssd_ssh
     │      └─sssd_sudo
     ├─supervisord───gunicorn───2*[gunicorn───4*[{gunicorn}]]
     ├─ttd
     ├─tuned
     └─udevd───2*[udevd]

As you can see bellow - hosts that are not shown in list still work otherwise new one doesn’t.

image
image.png573×588 34.9 KB

More information about my installation

icinga2 - The Icinga 2 network monitoring daemon (version: r2.10.2-1)

Copyright (c) ...

System information:
  Platform: Red Hat Enterprise Linux Server
  Platform version: 6.10 (Santiago)
  Kernel: Linux
  Kernel version: 2.6.32-754.10.1.el6.x86_64
  Architecture: x86_64

Build information:
  Compiler: GNU 4.8.2

I can add more information that you ask for.

I clearly don’t know where is the problem and what can I do next. It seems to me like there are two ca lists - one is hidden and working and second is visible that doesn’t work but I don’t know how to investigate this.

Thank you for any advice where to look or how to solve this.

Best,

Stepan

2

Hi,

the CA list has a cleanup mechanism in place, requests which are older than 1 week, are deleted by default. That being said, you will only see the current signing requests - it cannot act as an inventory for already signed requests.

The entry from March 22nd isn’t signed, so the connection won’t be established working for any cluster communication. You may of course configure the agent inside the Director, but that will turn into unknown on check execution/connect.

Sign the request, restart Icinga and then add this node via the Director - does that work?

Cheers,
Michael

2 Likes
3

Hi Michael.

I was focused to details and forgot to do basic step.
Thank you also for clearing how ca list work and for your work on Icinga.

Cheers,
Stepan

1 Like
4

Hi,

it is not the first time asked, so I’ve added it to the docs for the next version: https://github.com/Icinga/icinga2/pull/7046 :slight_smile:

Cheers,
Michael

1 Like