Hi!
I’ve the task to set up Icinga2 automatically via Puppet. I’ve an Icinga2-Master and the Satellites which
were configured via Puppet should be automatically integrated into the Icinga2-Master…
For this Task I should use this puppet-Module: https://forge.puppet.com/icinga/icinga2/changelog
I’ve installed it via ‘puppet module install icinga-icinga2 --version 2.1.0 --environment puppettest’ and I’ve build the following manifest for installing icinga2 on my Node:
class { '::icinga2':
confd => false,
features => ['checker','mainlog'],
constants => {
'ZoneName' => 'TESTZONE',
},
}
class { '::icinga2::feature::api':
pki => 'icinga2',
ca_host => 'icinga2master.vorlage.local',
fingerprint => 'D8:98:82:1B:14:8A:6A:89:4B:7A:40:32:50:68:01:99:3D:96:72:72',
ticket_salt => '<very-save-ticket_salt>',
accept_config => true,
accept_commands => true,
endpoints => {
'NodeName' => {},
'icinga2master.vorlage.local' => {
'host' => '192.168.117.30',
}
},
zones => {
'NodeName' => {
'endpoints' => ["${facts['fqdn']}"],
'parent' => 'master',
},
'master' => {
'endpoints' => ['icinga2master.vorlage.local']
}
}
}
The installation via Puppet on my Node works fine and Icinga2 is after an ‘puppet agent -t’ cleanly installed.
But I also got the follwing error:
Notice: /Stage[main]/Icinga2::Feature::Api/Exec[icinga2 pki request]/returns: critical/cli: Invalid ticket for CN ‘worker-template.local’.
Error: ‘"/usr/sbin/icinga2" pki request --host icinga2master.vorlage.local --port 5665 --ca /var/lib/icinga2/certs/ca.crt --key /var/lib/icinga2/certs/worker-template.local.key --cert /var/lib/icinga2/certs/worker-template.local.crt --trustedcert /var/lib/icinga2/certs/trusted-cert.crt --ticket <very-save-ticket_salt>’ returned 1 instead of one of [0]
Error: /Stage[main]/Icinga2::Feature::Api/Exec[icinga2 pki request]/returns: change from ‘notrun’ to [‘0’] failed: ‘"/usr/sbin/icinga2" pki request --host icinga2master.vorlage.local --port 5665 --ca /var/lib/icinga2/certs/ca.crt --key /var/lib/icinga2/certs/worker-template.local.key --cert /var/lib/icinga2/certs/worker-template.local.crt --trustedcert /var/lib/icinga2/certs/trusted-cert.crt --ticket <very-save-ticket_salt>’ returned 1 instead of one of [0] (corrective)
Debug: Class[Icinga2::Service]: Resource is being skipped, unscheduling all events
Notice: /Service[icinga2]: Dependency Exec[icinga2 pki request] has failures: true
Warning: /Service[icinga2]: Skipping because of failed dependencies
Debug: /Service[icinga2]: Resource is being skipped, unscheduling all events
Debug: Class[Icinga2::Service]: Resource is being skipped, unscheduling all events
Warning: /Stage[main]/Icinga2/Anchor[::icinga2::end]: Skipping because of failed dependencies
Debug: /Stage[main]/Icinga2/Anchor[::icinga2::end]: Resource is being skipped, unscheduling all events
I tried to execute the command manually on the Icinga2 satellite:
root@worker-template:~# /usr/sbin/icinga2 pki request --host icinga2master.vorlage.local --port 5665 --ca /var/lib/icinga2/certs/ca.crt --key /var/lib/icinga2/certs/worker-template.local.key --cert /var/lib/icinga2/certs/worker-template.local.crt --trustedcert /var/lib/icinga2/certs/trusted-cert.crt --ticket <very-save-ticket_salt>
…and got the following response:
critical/cli: Invalid ticket for CN ‘worker-template.local’.
When I have a look on my Icinga2-Master in /var/log/icinga2/icinga2.log I can see that my Icinga2-Satellite is doing an Request on the Icinga2-Master:
[2019-05-14 22:55:08 +0200] information/ConfigObject: Dumping program state to file '/var/lib/icinga2/icinga2.state'
[2019-05-14 22:55:08 +0200] information/WorkQueue: #10 (JsonRpcConnection, #0) items: 0, rate: 0/s (0/min 0/5min 2/15min);
[2019-05-14 22:55:58 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2813/15min);
[2019-05-14 22:56:04 +0200] information/ApiListener: New client connection for identity 'worker-template.local' from [192.168.117.25]:51972 (certificate validation failed: code 18: self signed certificate)
[2019-05-14 22:56:04 +0200] information/JsonRpcConnection: Received certificate request for CN 'worker-template.local' not signed by our CA.
[2019-05-14 22:56:04 +0200] warning/JsonRpcConnection: Ticket '6f912a8966ef9e46278e77847e93e901c83adde7' for CN 'worker-template.local' is invalid.
[2019-05-14 22:56:04 +0200] warning/TlsStream: TLS stream was disconnected.
[2019-05-14 22:56:04 +0200] warning/JsonRpcConnection: API client disconnected for identity 'worker-template.local'
[2019-05-14 22:56:18 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 0, rate: 3.01667/s (181/min 933/5min 2809/15min);
[2019-05-14 22:56:18 +0200] information/WorkQueue: #5 (ApiListener, RelayQueue) items: 0, rate: 0.65/s (39/min 195/5min 579/15min);
[2019-05-14 22:56:18 +0200] information/WorkQueue: #6 (ApiListener, SyncQueue) items: 0, rate: 0/s (0/min 0/5min 0/15min);
[2019-05-14 22:56:28 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 931/5min 2807/15min);
[2019-05-14 22:56:38 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 2.95/s (177/min 929/5min 2809/15min);
[2019-05-14 22:56:48 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2813/15min);
[2019-05-14 22:57:18 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2809/15min);
[2019-05-14 22:57:28 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2807/15min);
[2019-05-14 22:57:38 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 2.95/s (177/min 927/5min 2807/15min);
[2019-05-14 22:57:48 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2813/15min);
[2019-05-14 22:58:18 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2809/15min);
[2019-05-14 22:58:28 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2807/15min);
[2019-05-14 22:58:38 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 927/5min 2807/15min);
[2019-05-14 22:58:48 +0200] information/WorkQueue: #7 (IdoMysqlConnection, ido-mysql) items: 1, rate: 3.01667/s (181/min 933/5min 2813/15min);
[2019-05-14 22:59:35 +0200] information/ApiListener: New client connection for identity 'worker-template.local' from [192.168.117.25]:51976 (certificate validation failed: code 18: self signed certificate)
[2019-05-14 22:59:35 +0200] information/JsonRpcConnection: Received certificate request for CN 'worker-template.local' not signed by our CA.
[2019-05-14 22:59:35 +0200] warning/JsonRpcConnection: Ticket '6f912a8966ef9e46278e77847e93e901c83adde7' for CN 'worker-template.local' is invalid.
[2019-05-14 22:59:35 +0200] warning/TlsStream: TLS stream was disconnected.
[2019-05-14 22:59:35 +0200] warning/JsonRpcConnection: API client disconnected for identity 'worker-template.local'
The only problem (when I believe this article seems to be the different Icinga2-Version:
Icinga2-Master:
root@icinga2master:~# dpkg -l icinga2
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schl echt)
||/ Name Version Architektur Beschreibung
+++-==============-============-============-============================ =====
ii icinga2 2.10.4-1.xen amd64 host and network monitoring syste
Icinga2-Satellite:
root@worker-template:~# dpkg -l icinga2 Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name Version Architektur Beschreibung
+++-==============-============-============-=================================
ii icinga2 2.4.1-2ubunt amd64 host and network monitoring syste
root@worker-template:~#
Has someone of you also installed Icinga2 via Puppet and know how to sign the satellite automatically on the Icinga2-Master?
And has someone of you also had the same problem with signing the Satellite on the Master?