Where is the icinga2 api cert

Icinga 2
,
1

I’m sorry if I missed this somewhere. I looked through the documentation and couldn’t find it.

I’m working on a script I can use to set downtime for a server when it suspends, since I like to do that periodically. I’d like to set downtime and then later remove it, but one thing at a time.

In my reading, it looks like I need to authenticate with a certificate which is why my check is failing:

start_downtime="$(date +%s)"
end_downtime="$(date +%s -d "+24 hour")"
curl -X Post \
      -H "Accept: application/json" \
      -H "Content-Type: application/json" \
      -k \
      -u 'root:<password>' \
      -d '{"type": "Host", "filter": "host.name == \"tesla.lan\"", "author": "root", "comment": "system-down", "child_options": "DowntimeTriggeredChildren", "fixed": false, "duration": 86400, "start_time": "'$start_downtime'", "end_time": "'$end_downtime'", "all_services": true }' \
       https://master.lan:5665/v1/actions/schedule-downtime                                                                             

$ ./ack.sh 
{"error":404,"status":"The requested path 'v1/actions/schedule-downtime' could not be found or the request method is not valid for this path."}

The examples I see assume that the ca is in pki/ but my pki folder is empty.

Did I miss a step during api setup? I’ve always been bad with ssl related stuff :frowning:

2

Did you run

icinga2 node wizard

On the master ?

3

I just tried it, not to completion and it said:
Certificate '/var/lib/icinga2/certs//ohm.lan.crt' for CN 'ohm.lan' already existing. Skipping certificate generation.

So I now found it in /var/lib/icinga2

I don’t really want to run the node wizard to completion because I’m afraid I’ll blow away something else I have configured already… Is that not an issue?

Let me see if I can get it to work with the ca in /var/lib/icinga2

4

What’s the output of

icinga2 feature list

?
Maybe api is disabled

5 
$ icinga2 feature list
Disabled features: compatlog elasticsearch gelf graphite icingadb influxdb influxdb2 livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker command debuglog ido-pgsql mainlog notification
6

And the output of:

icinga2 -V
cat /etc/icinga2/features-enabled/api.conf
cat /etc/icinga2/conf.d/api-users.conf

You can remove the password in the output

7

Thanks for the permission :smiley: but seriously thanks for making sure other people do that.

[root@ohm:~] # icinga2 -V
icinga2 - The Icinga 2 network monitoring daemon (version: r2.13.6-1)

Copyright (c) 2012-2024 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Raspbian GNU/Linux
  Platform version: 12 (bookworm)
  Kernel: Linux
  Kernel version: 6.1.21-v7+
  Architecture: armv7l

Build information:
  Compiler: GNU 12.2.0
  Build host: test2019
  OpenSSL version: OpenSSL 3.0.13 30 Jan 2024

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid
[root@ohm:~] # cat /etc/icinga2/features-enabled/api.conf
/**
 * The API listener is used for distributed monitoring setups.
 */
object ApiListener "api" {

  ticket_salt = TicketSalt
}
[root@ohm:~] # cat /etc/icinga2/conf.d/api-users.conf
/**
 * The ApiUser objects are used for authentication against the API.
 */
object ApiUser "root" {
  password = "password"
  // client_cn = ""

  permissions = [ "*" ]
}
8

replace this with:

curl -X POST \

2 Likes
9

That was it. :person_facepalming:

Thanks.

10

also you are using a 32 bit version of icinga2 which will get you into troubles when switching to icingadb.

I would recommend to install a 64 bit os of Raspberry Pi OS and use the debian repo. It cointains arm packages

1 Like
11

apt says it’s the armf version, I’m not sure where you see 32 bit?

[@ohm:~] $ apt policy icinga2
icinga2:
  Installed: 2.13.6-2+deb12u1
  Candidate: 2.13.6-2+deb12u1
  Version table:
 *** 2.13.6-2+deb12u1 500
        500 http://raspbian.raspberrypi.org/raspbian bookworm/main armhf Packages
        100 /var/lib/dpkg/status
[@ohm:~] $ apt policy icingadb
icingadb:
  Installed: (none)
  Candidate: 1.1.0-1
  Version table:
     1.1.0-1 500
        500 http://raspbian.raspberrypi.org/raspbian bookworm/main armhf Packages
12

In short, ARMHF is 32-bit, and ARM64 is 64-bit. You’ll need to install the right version for your Raspberry Pi OS (formerly Raspbian).

13

That’s helpful. For some reason I keep reading ‘arm64’ as ‘amd64’.

and when I check the raspberry pi 3, it looks like I could have installed both, but I installed the 32 bit version.

So I’ll fix that the next time I wipe it.

14

Just for your information, on Raspberry Pi OS you can follow Icinga 2’s Debian installation instructions and get the latest Icinga 2 version, as the version from the distribution packages, 2.13.6-2+deb12u1, is a bit older.

Please just be sure to follow the Debian installation, not the Raspbian ones, which are outdated and to be removed: