Satellite behind Satellite

Icinga 2
, ,
1

Hi,

i have a satellite that could reach the master, another satellit wouldn’t be able to connect to master but to that satellite. Now … that satellite1 should be master and client, but I don’t know how to configure.
the connection satellite1 <-> master is successful, node is listed and everything looks fine.

But then on the satellite2 i want to do the node wizard:
Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn ‘satellite2’): 8ba08788e7ce3d8bf8fa8a328ba53f895f02209c
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master ‘192.168.250.1, 5665’. Please try again.

and on the satellite1:
[2021-02-19 09:47:31 +0100] information/ApiListener: New client connection for identity ‘satellite2’ from [192.168.250.2]:41402 (certificate validation failed: code 18: self signed certificate)
[2021-02-19 09:47:41 +0100] warning/ApiListener: No data received on new API connection for identity ‘satellite2’. Ensure that the remote endpoints are properly configured in a cluster setup.

So far, the ca list on satellite1 is empty so he couldnt create a certificate, but if I configure that as master, my node setup as client to master is missing or where is my mistake…

happy on any hint :wink:

Give as much information as you can, e.g.

  • Version used (icinga2 --version) r2.10.3-1

  • Operating System and version debian10

  • Enabled features (icinga2 feature list) api checker mainlog

  • Icinga Web 2 version and modules (System - About)

  • Config validation (icinga2 daemon -C) good

  • If you run multiple Icinga 2 instances, the zones.conf file (or icinga2 object list --type Endpoint and icinga2 object list --type Zone) from all affected nodes

    Object ‘masterfqdn’ of type ‘Endpoint’:
    % declared in ‘/etc/icinga2/zones.conf’, lines 6:1-6:67

    • __name = “masterfqdn”
    • host = “masterfqdn”
      % = modified in ‘/etc/icinga2/zones.conf’, lines 7:2-7:59
    • log_duration = 86400
    • name = “masterfqdn”
    • package = “_etc”
    • port = “5665”
      % = modified in ‘/etc/icinga2/zones.conf’, lines 8:2-8:14
    • source_location
      • first_column = 1
      • first_line = 6
      • last_column = 67
      • last_line = 6
      • path = “/etc/icinga2/zones.conf”
    • templates = [ “masterfqdn” ]
      % = modified in ‘/etc/icinga2/zones.conf’, lines 6:1-6:67
    • type = “Endpoint”
    • zone = “”

Object ‘satellite1’ of type ‘Endpoint’:
% declared in ‘/etc/icinga2/zones.conf’, lines 15:1-15:31

  • __name = “satellite1”
  • host = “”
  • log_duration = 86400
  • name = “satellite1”
  • package = “_etc”
  • port = “5665”
  • source_location
    • first_column = 1
    • first_line = 15
    • last_column = 31
    • last_line = 15
    • path = “/etc/icinga2/zones.conf”
  • templates = [ “satellite1” ]
    % = modified in ‘/etc/icinga2/zones.conf’, lines 15:1-15:31
  • type = “Endpoint”
  • zone = “”

Object ‘satellite2’ of type ‘Endpoint’:
% declared in ‘/etc/icinga2/zones.conf’, lines 31:1-31:31

  • __name = “satellite2”
  • host = “”
  • log_duration = 86400
  • name = “satellite2”
  • package = “_etc”
  • port = “5665”
  • source_location
    • first_column = 1
    • first_line = 31
    • last_column = 31
    • last_line = 31
    • path = “/etc/icinga2/zones.conf”
  • templates = [ “satellite2” ]
    % = modified in ‘/etc/icinga2/zones.conf’, lines 31:1-31:31
  • type = “Endpoint”
  • zone = “”
2

to my knowledge an Icinga node can either be a master or a satellite or an agent.
So what you are trying to achieve with satellite1 that is connected to a master and is a master itself will not work.

You could upgrade the satellite1 to being a master itself and add it to the master zone and then have the satellite2 connect to satellite1(aka master2).

Zones inside zones do not work