Validation failed

Meta Icinga Events and Community
1

Hi icinga2 community!

I had two masters. Master1 was config master. Both master fully setup with database but no ha.
My master1 failed and I had to turn off master1. Copied the conf files to the master2.
Everything works fine with the current agents, but now I want to add a new agent and I see the message “certificate validation failed: code 18: self signed certificate”

I ran icinga2 wizard manually and followed the step accordingly.

What could be my problem no now clients can connect to master2 ?

Master2 version: r2.11.2-1
New Agent: version: r2.11.3-1)

Could the ‘newer’ agent be a problem?

*EDIT: found (probably not) my problem?. I tried to make the icinga2 wizard installation easier by providing and showing the ticket using curl “generate ticket” before I start the icinga2 wizard but that logically! still needs local signing.

2

1#
Steps I’ve taken:

  • Now, when I use “icinga2 ca list” it lists my certificates.
  • It was showing my two requests from the same new node.
  • I approved the last one but that didn’t seems to solve the connection problem
  • I restarted icinga2 service
  • I ran icinga2 ca list again and it was still showing both requests.
  • I approved both requests and they disappeared in the ca list
  • Using icinga2 ca list --all is showing that all certs for that new host are signed.
  • Thats probably a good sign, but the new agent is still not connected.?!
    Restarted the icinga2 service and the logs still says:

Certificate request for CN ‘new-agent’ is pending. Waiting for approval.

2#
I now ran the icinga2 node wizard completely manual at every step but the logs keeps giving the same above message.

3#
I removed the files from /var/lib/icinga2/certs and ran the icinga2 node wizard again, no change )-:

3

Hello,

your problem is that you didnt copy the CA to your “cold standby” master. Does the coldstandby have the same hostname (cn name) and IP?

Regards,
Carsten

4

The master2 doesnt have the same cn name and ip… )-:

I dont have that many clients so I could start over . (master1 is dead and cannot use the same ip)
(I do have a backup of the /var/lib/icinga2/certs and also found a backup of the ca/ folder from the original master1 if that helps)

What would you suggest here ?

5

I’ve recovered the /ca/ca.* keys and placed them on my master2.
Used icinga2 ca sign to sign the pending request
Seems to work now, guess this is enough ?

@anon66228339 Thank you for the fast reply and creating my aha moment :wink:

1 Like