Received certificate request for CN 'icinga-agent' not signed by our ca

Hey guys

I set up an distributed Monitoring setup, with local docker container to test my ansible role.
But, when I sign the certificate from the agent trough satellite1 to the master I get a “not signed by our ca” message. But I’m pretty sure it’s the right CA, I checked several times the md5sum of all ca certs and they are the same.
I try to sign the certificates with the cli (pki) command.

icinga master log:
[2020-02-12 08:51:02 +0100] information/JsonRpcConnection: Received certificate request for CN ‘icinga-agent’ not signed by our CA.
[2020-02-12 08:51:02 +0100] information/JsonRpcConnection: Certificate request for CN ‘icinga-agent’ is pending. Waiting for approval.

icinga-satellite1 log:
[2020-02-12 08:56:55 +0100] information/JsonRpcConnection: Received certificate request for CN ‘icinga-agent’ not signed by our CA.
[2020-02-12 08:56:55 +0100] information/JsonRpcConnection: Sending certificate response for CN ‘icinga-agent’ to endpoint ‘icinga-agent’.
[2020-02-12 08:56:55 +0100] warning/JsonRpcConnection: API client disconnected for identity ‘icinga-agent’

Ansible code:
- name: gather ticket from master

  • command: /usr/sbin/icinga2 pki ticket --cn icinga-agent*
  • register: icinga2_ticket*
  • delegate_to: “icinga-master”*

- name: create cert and key on client

  • command: icinga2 pki new-cert --cn icinga-agent --key /var/lib/icinga2/certs/icinga-agent.key --cert /var/lib/icinga2/certs/icinga-agent.crt*

- name: get trustedcert from parent node

  • command: icinga2 pki save-cert --host icinga-satellite1 --trustedcert /var/lib/icinga2/certs/icinga-satellite1.crt*

- name: send csr request to parent node

  • command: icinga2 pki request --host icinga-satellite1 --ca /var/lib/icinga2/certs/ca.crt --key /var/lib/icinga2/certs/icinga-agent.key --cert /var/lib/icinga2/certs/icinga-agent.crt --trustedcert /var/lib/icinga2/certs/icinga-satellite1.crt --ticket {{ icinga2_ticket.stdout }}*

I got the same message, when I used the node wizard for signing.
Hopefully someone can help me.
BR
Thaja

Hi,

This would indicate that either the CSR does not include a ticket, or something else is wrong on the master. Enable the debug log to gather more insights on the master.

Cheers,
Michael

Hi,

Thanks It was actually a wrong configuration on the master.

BR
Thaja

Hi,

can you please share which configuration was wrong on the master? Others who seek help can benefit from your solution :slight_smile:

Cheers,
Michael

1 Like

Hi

Sure
I have HA Satellite setup and there was two syntax error in the /etc/icinga2/zones.conf file, which actually caused the problem. It was rendered wrong trough my ansible code.
I weny trough these steps again https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/#three-levels-with-masters-satellites-and-agents and found the syntax problem.
The debug log was also saying that “Not connecting to Zone ‘icinga-agent’ because it’s not in the same zone, a parent or a child zone.”.
After that fix the certificate was valid for signing.

BR
Thaja

1 Like

Hi,

glad you’ve found it, thanks for sharing :+1:

Cheers,
Michael