Hello,
I need some explaination about CSR auto signing.
I’m in 3 level cluster (master / satellite / agent).
For the record, I was until then in 2 level (master / agent) and I didn’t have this problem.
I use an Ansible playbook to install and register my agent, after install Icinga2 binaries (windows / linux wathever) my ansible server make an api call on the master to get ticket and send the “node setup” command with this ticket.
In 2 level scenario : no probleme.
Like I said, now i’m in 3 level scenario, so I need to reconfigure my agents ton speak with satellites instead of masters.
So I modify my Ansible playbook to configure agent for speaks with satellite BUT continue to ask to the master for the ticket.
Here the tasks in execution order :
- API call to get ticket with CN=[agent_fqdn]
- Generate autosign certificate with :
icinga2 pki new-cert
–cn [agent_fqdn]
–key /var/lib/icinga2/certs/[agent_fqdn].key
–cert /var/lib/icinga2/certs/[agent_fqdn].crt - Ask for parent certificate (it ask it to the satellite ‘parent’)
icinga2 pki save-cert
–host [satellite_fqdn]
–port 5665
–key /var/lib/icinga2/certs/[agent_fqdn].key
–cert /var/lib/icinga2/certs/[agent_fqdn].crt
–trustedcert /var/lib/icinga2/certs/master.crt - Node setup
icinga2 node setup
–zone [agent_fqdn]
–endpoint [satellite_fqdn],[satellite_fqdn],5665
–endpoint [satellite2_fqdn],[satellite_fqdn],5665
–parent_host [satellite_fqdn],5665
–parent_zone [satellite_zone]
–cn agent_fqdn
–accept-config
–accept-commands
–disable-confd
–trustedcert /var/lib/icinga2/certs/master.crt
–ticket [ticket_from_master_requested_before] - Restart icinga2 service
During those steps, I follow the logs in the satellite node and I can see several lines like bellow
information/ApiListener: Reconnecting to endpoint ‘agent_fqdn’ via host ‘10.32.6.2’ and port ‘5665’
[2024-12-19 15:21:34 +0100] warning/ApiListener: Certificate validation failed for endpoint ‘agent_fqdn’: code 18: self-signed certificate
[2024-12-19 15:21:34 +0100] information/ApiListener: New client connection for identity ‘agent_fqdn’ to [10.32.6.2]:5665 (certificate validation failed: code 18: self-signed certificate)
[2024-12-19 15:21:49 +0100] critical/ApiListener: Timeout while reconnecting to endpoint ‘agent_fqdn’ via host ‘10.32.6.2’ and port ‘5665’, cancelling attempt
[2024-12-19 15:21:49 +0100] information/ApiListener: Finished reconnecting to endpoint ‘agent_fqdn’ via host ‘10.32.6.2’ and port ‘5665’
So for what I understand, despite the ticket provided, the auto signing seems to not working…
If I check on master, I don’t have CSR waiting for approuval.
If I re run the process, auto signing continu to not working but I have the CSR waiting on master…
I’m pretty sure I don’t understand something in this process despite several read of the doc here
https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#csr-auto-signing
If some one has some explaination for me
Thank you for advance