Question about CSR Auto-signing

Hello,

I need some explaination about CSR auto signing.
I’m in 3 level cluster (master / satellite / agent).
For the record, I was until then in 2 level (master / agent) and I didn’t have this problem.
I use an Ansible playbook to install and register my agent, after install Icinga2 binaries (windows / linux wathever) my ansible server make an api call on the master to get ticket and send the “node setup” command with this ticket.
In 2 level scenario : no probleme.

Like I said, now i’m in 3 level scenario, so I need to reconfigure my agents ton speak with satellites instead of masters.
So I modify my Ansible playbook to configure agent for speaks with satellite BUT continue to ask to the master for the ticket.
Here the tasks in execution order :

  • API call to get ticket with CN=[agent_fqdn]
  • Generate autosign certificate with :
    icinga2 pki new-cert
    –cn [agent_fqdn]
    –key /var/lib/icinga2/certs/[agent_fqdn].key
    –cert /var/lib/icinga2/certs/[agent_fqdn].crt
  • Ask for parent certificate (it ask it to the satellite ‘parent’)
    icinga2 pki save-cert
    –host [satellite_fqdn]
    –port 5665
    –key /var/lib/icinga2/certs/[agent_fqdn].key
    –cert /var/lib/icinga2/certs/[agent_fqdn].crt
    –trustedcert /var/lib/icinga2/certs/master.crt
  • Node setup
    icinga2 node setup
    –zone [agent_fqdn]
    –endpoint [satellite_fqdn],[satellite_fqdn],5665
    –endpoint [satellite2_fqdn],[satellite_fqdn],5665
    –parent_host [satellite_fqdn],5665
    –parent_zone [satellite_zone]
    –cn agent_fqdn
    –accept-config
    –accept-commands
    –disable-confd
    –trustedcert /var/lib/icinga2/certs/master.crt
    –ticket [ticket_from_master_requested_before]
  • Restart icinga2 service

During those steps, I follow the logs in the satellite node and I can see several lines like bellow

information/ApiListener: Reconnecting to endpoint ‘agent_fqdn’ via host ‘10.32.6.2’ and port ‘5665’
[2024-12-19 15:21:34 +0100] warning/ApiListener: Certificate validation failed for endpoint ‘agent_fqdn’: code 18: self-signed certificate
[2024-12-19 15:21:34 +0100] information/ApiListener: New client connection for identity ‘agent_fqdn’ to [10.32.6.2]:5665 (certificate validation failed: code 18: self-signed certificate)
[2024-12-19 15:21:49 +0100] critical/ApiListener: Timeout while reconnecting to endpoint ‘agent_fqdn’ via host ‘10.32.6.2’ and port ‘5665’, cancelling attempt
[2024-12-19 15:21:49 +0100] information/ApiListener: Finished reconnecting to endpoint ‘agent_fqdn’ via host ‘10.32.6.2’ and port ‘5665’

So for what I understand, despite the ticket provided, the auto signing seems to not working…
If I check on master, I don’t have CSR waiting for approuval.
If I re run the process, auto signing continu to not working but I have the CSR waiting on master…

I’m pretty sure I don’t understand something in this process despite several read of the doc here
https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#csr-auto-signing

If some one has some explaination for me :slight_smile:

Thank you for advance

Here is an extract of the procedure that works for me (procedure for Windows servers with Linux master):

Conventions:

SERVER = the server on which the agent is being configured
MASTER = the server running the Icinga Certificate Authority
FQDN = the fully-qualified DNS name of the server on which the agent is being configured

  • Open an SSH session on MASTER, switch user to root, and copy the following file from MASTER to SERVER, to directory C:\ProgramData\icinga2\var\lib\icinga2\certs:

/var/lib/icinga2/certs/ca.crt

  • On SERVER, open a PowerShell prompt run as Admin, change directory to C:\ProgramData\icinga2\var\lib\icinga2\certs and run the following commands:
    • $FQDN = [System.Net.Dns]::Resolve($null).HostName
    • $CERT_DIR = “C:\ProgramData\icinga2\var\lib\icinga2\certs”
    • cd “C:\Program Files\ICINGA2\sbin”
    • .\icinga2.exe pki new-cert --cn $FQDN --key $CERT_DIR\$FQDN.key --csr $CERT_DIR\$FQDN.csr
    • The output should be:

information/base: Writing private key to ‘FQDN.key’.
information/base: Writing certificate signing request to ‘FQDN.csr’.

  • On MASTER in the SSH session, change directory to any work directory (\tmp for instance), and:
    • Copy there the FQDN.csr file just created on SERVER
    • Run the following command:

icinga2 pki sign-csr --csr ./FQDN.csr --cert ./FQDN.crt

  • Copy FQDN.crt (just created) from MASTER to SERVER, to directory C:\ProgramData\icinga2\var\lib\icinga2\certs

Thanks for your answer and sorry for the late reply.
This is approximatively what i’m doing on linux but without generate csr and manualy copying file. I need a full automated process, but sadly mine is not 100% working…

Maybe use or lift from lfops/roles/icinga2_agent/tasks/main.yml at 3e91ec650db47071c48af7a1ba48dd247de79934 · Linuxfabrik/lfops · GitHub.