Renew Agent Certificate


we use Icinga with one master, several satellites and many endpoints.

Because ubuntu we use for master is running out of support soon, we have to renew master with a new ubuntu.

I tried this with a test machine. Config was copied without bigger problems, but now I have a big issue with certificates.

When I enable the new master all trust between master and satellite is gone, because of the new certificate, the master has.

Now I can re-run node wizard on all satellites to get a new certificate on them. This also works fine, because config is re-submitted over zone-config.

But after all that, windows agents don’t trust the satellites any longer.

Is there a way to renew certificates on windows agent site, as like re-run node wizard on the satellites, without completely uninstall and reinstall the agent?

P.S.: At the moment i’m only using Icinga Agent. So the new Icinga for Windows is NOT installed on the target systems.

When I have replaced the master server, I had to remove the certificates on the agents, and re-run the agent script. When you re-run the agent script, it will say what to do (remove the crt, key and something else files, not the other stuff). Removing the agents is not necessary.

Can you move a copy of your Root CA from the original master over to the new master (/var/lib/icinga2/ca) ?

Disclaimer - Please make a backup of your Master incase of problems.

Hello JWells,

thanks for your answer. I’ll try this tommorow morning and give you feedback.

1 Like

Hello Alex,

I tried this before. When I copy the cert from old to new server everything is fine for the first moment. But then it’s not possible to add new satellites to this config, because icinga seems to recognize, that the cert is “compromissed”.