Workaround for broken Icinga2 (2.10.3-2) node config on Debian 10.3 (Buster)

Icinga2 (2.10.3-2) is installed from the Debian stable repository.

When running ‘icinga2 node wizard’ on the client machine, the wizard is stuck here:

Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn 'icinga-client'): ad84c3039faf41972173d314d4227b215313e924
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master '10.0.2.15, 5665'. Please try again.

The error log on the master shows:

[2020-02-16 15:46:27 +0100] information/ApiListener: New client connection for identity 'icinga-client' from [10.0.2.4]:45350 (certificate validation failed: code 18: self signed certificate)
[2020-02-16 15:46:37 +0100] warning/ApiListener: No data received on new API connection for identity 'icinga-client'. Ensure that the remote endpoints are properly configured in a cluster setup.
Context:
        (0) Handling new API client connection

The issue is also descibed in full detail here: https://monitoring-portal.org/t/client-certificate-validation-failed/5732 (someone observed that the issue emerged with Debian’s update of libssl from version 1.1.0 to 1.1.1).

So what is the recommended course of action to work around the issue? A little how-to would be extremely nice.

Hi and welcome!

Your version is quite old. The latest one is 2.11.2. :wink:
Try this one. The devs implimented a lot of bug fixes

1 Like

Thank you for the suggestion, Stevie.

Icinga 2 (2.11.1) exists in the Debian ‘testing’ (Bullseye) repository. But I’m afraid the situation there is even worse. When you upgrade the distribution and try to install Icinga2 you will run into other bugs which also break the installation:

ai2ieXie@icinga:~$ sudo icinga2 api setup
information/cli: Generating new CA.
information/base: Writing private key to '/var/lib/icinga2/ca//ca.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/ca//ca.crt'.
information/cli: Generating new CSR in '/var/lib/icinga2/certs//icinga.csr'.
information/base: Writing private key to '/var/lib/icinga2/certs//icinga.key'.
information/base: Writing certificate signing request to '/var/lib/icinga2/certs//icinga.csr'.
information/cli: Signing CSR with CA and writing certificate to '/var/lib/icinga2/certs//icinga.crt'.
information/pki: Writing certificate to file '/var/lib/icinga2/certs//icinga.crt'.
information/cli: Copying CA certificate to '/var/lib/icinga2/certs//ca.crt'.
information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'.
critical/Application: Error: Function call 'mkstemp' for file '/etc/icinga2/conf.d/api-users.conf.XXXXXX' failed with error code 13, 'Permission denied'


Additional information is available in '/var/log/icinga2/crash/report.1581940518.765982'

Aborted

If you manually create /etc/icinga2/conf.d/api-users.conf, enable the api feature and continue with the installation process you’ll run into the next bugs:

ai2ieXie@icinga:~$ sudo icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: n

Starting the Master setup routine...

Please specify the common name (CN) [icinga]: 
Reconfiguring Icinga...
Checking for existing certificates for common name 'icinga'...
Certificate '/var/lib/icinga2/certs//icinga.crt' for CN 'icinga' already existing. Skipping certificate generation.
Generating master configuration for Icinga 2.
'api' feature already enabled.

Master zone name [master]: 

Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: 
critical/cli: chown() failed with error code 1, "Operation not permitted"
Please specify the API bind host/port (optional):
Bind Host []: 
Bind Port []: 
critical/Application: Error: boost::filesystem::copy_file: Permission denied: "/etc/icinga2/features-available/api.conf", "/etc/icinga2/features-available/api.conf.orig"

Additional information is available in '/var/log/icinga2/crash/report.1581942048.913386'

Aborted

At this point I really think the best course of action would be to find and document a workaround for the broken certificate setup in the Icinga 2.10.3-2 node wizard, since it seems less broken.

ok we use CentOS and I don’t know the diffrence with Debian. Maybe you have a test server where you can test the installation with the latest version.

Maybe other users have more experience with Debian and icinga 2.11.x

I’d suggest using the official package repository at https://packages.icinga.com … we don’t test Debian upstream packages during our release process, only our own.

Cheers,
Michael

This is an OpenSSL bug [1].

icinga2 node wizard will work as expected on Debian 10.3 if you disable TLSv1.3 on the master or the client.

/etc/ssl/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.2
MaxProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

[1] https://github.com/openssl/openssl/issues/8534