Validation failed

Hi icinga2 community!

I had two masters. Master1 was config master. Both master fully setup with database but no ha.
My master1 failed and I had to turn off master1. Copied the conf files to the master2.
Everything works fine with the current agents, but now I want to add a new agent and I see the message “certificate validation failed: code 18: self signed certificate”

I ran icinga2 wizard manually and followed the step accordingly.

What could be my problem no now clients can connect to master2 ?

Master2 version: r2.11.2-1
New Agent: version: r2.11.3-1)

Could the ‘newer’ agent be a problem?

*EDIT: found (probably not) my problem?. I tried to make the icinga2 wizard installation easier by providing and showing the ticket using curl “generate ticket” before I start the icinga2 wizard but that logically! still needs local signing.

Steps I’ve taken:

  • Now, when I use “icinga2 ca list” it lists my certificates.
  • It was showing my two requests from the same new node.
  • I approved the last one but that didn’t seems to solve the connection problem
  • I restarted icinga2 service
  • I ran icinga2 ca list again and it was still showing both requests.
  • I approved both requests and they disappeared in the ca list
  • Using icinga2 ca list --all is showing that all certs for that new host are signed.
  • Thats probably a good sign, but the new agent is still not connected.?!
    Restarted the icinga2 service and the logs still says:

Certificate request for CN ‘new-agent’ is pending. Waiting for approval.

I now ran the icinga2 node wizard completely manual at every step but the logs keeps giving the same above message.

I removed the files from /var/lib/icinga2/certs and ran the icinga2 node wizard again, no change )-:


your problem is that you didnt copy the CA to your “cold standby” master. Does the coldstandby have the same hostname (cn name) and IP?


The master2 doesnt have the same cn name and ip… )-:

I dont have that many clients so I could start over . (master1 is dead and cannot use the same ip)
(I do have a backup of the /var/lib/icinga2/certs and also found a backup of the ca/ folder from the original master1 if that helps)

What would you suggest here ?

I’ve recovered the /ca/ca.* keys and placed them on my master2.
Used icinga2 ca sign to sign the pending request
Seems to work now, guess this is enough ?

@Carsten Thank you for the fast reply and creating my aha moment :wink:

1 Like