Icinga2 Windows Agent 2.13.1 certificate signing fails using ticket in node setup

Icinga / icinga2

The core of our monitoring platform with a powerful configuration language and REST API.

GNU General Public License v2.0

2.03k stars 578 forks source link

Describe the bug

If i run the node setup on a fresh Windows client (Icinga2 Agent 2.13.1) using a ticket for the certificate signing, I get the following error.

information/cli: Retrieving TLS certificate for 'Icinga2Master:5665'.

 Version:             3
 Subject:             CN = Icinga2Master
 Issuer:              CN = Icinga CA
 Valid From:          Nov 15 12:21:36 2021 GMT
 Valid Until:         Nov 11 12:21:36 2036 GMT
 Serial:              00:00:00:00:49:49:20:ba:9e:59:a8:93:84:95:85:bc:f8:aa:aa:aa

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   Icinga2Master
 Fingerprint:         AA BB CC DD EE FF 11 22 33 44 55 66 77 88 99 A B8 CC D7 E8 F9 2C 98 30 F5 82 5F C5 37 A7 1B 61 

***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***

information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt'.
information/cli: Requesting certificate with ticket '11223344eddb89462d6d225ceb0992fae8a1d71f'.
information/cli: Verifying parent host connection information: host 'Icinga2Master', port '5665'.
information/cli: Using the following CN (defaults to FQDN): 'Icinga2Agent'.
information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2/certs//Icinga2Agent.key'.
information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2/certs//Icinga2Agent.crt'.
information/cli: Verifying trusted certificate file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt'.
information/cli: Requesting a signed certificate from the parent Icinga node.
critical/cli: !!! The certificate for CN 'Icinga2Agent' is valid and uptodate. Skipping automated renewal.
critical/cli: Failed to fetch signed certificate from parent Icinga node 'Icinga2Master, 5665'. Please try again.

The node setup looks as follows.

& "C:\Program Files\ICINGA2\sbin\Icinga2.exe" node setup `
    --ticket              '11223344eddb89462d6d225ceb0992fae8a1d71f' `
    --cn                  'Icinga2Agent' `
    --endpoint            'Icinga2Master,10.21.16.199,5665' `
    --zone                'Icinga2Agent' `
    --parent_zone         'master' `
    --parent_host         'Icinga2Master' `
    --trustedcert         'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt' `
    --accept-commands `
    --accept-config `
    --disable-confd;

If I run the node setup without the ticket parameter, I can sign the certificate at the master and everything is working fine. It looks like the zones config must be updated by the setup first before the automatic certificate signing is working?

When I use the icinga2 Agent version 2.13.0 the node setup is working as expected and the certificate will be signed automatically using a ticket.

To Reproduce

Use the PowerShell script above.

Expected behavior

The node setup should using the ticket parameter should work with the Icinga2 Agent version 2.13.1

Screenshots

Your Environment

Include as many relevant details about the environment you experienced the problem in

Version used (icinga2 --version): version: r2.12.0-rc1-1
Operating System and version: Debian 10.11
Enabled features (icinga2 feature list): api checker graphite ido-mysql mainlog notification perfdata
Icinga Web 2 version and modules (System - About):
Config validation (icinga2 daemon -C):
If you run multiple Icinga 2 instances, the zones.conf file (or icinga2 object list --type Endpoint and icinga2 object list --type Zone) from all affected nodes.

Additional context

Add any other context about the problem here.

Works for me

PS C:\Users\Administrator> & 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --ticket d266c84e7f17eaabb2cbe13242ef7e554ba195a5 --cn Icinga2Agent --endpoint aklimov-9116.novalocal,10.27.1.197,5665 --zone Icinga2Agent --parent_zone master --parent_host 10.27.1.197 --trustedcert 'C:\i2.crt' --accept-commands --accept-config --disable-confd information/cli: Requesting certificate with ticket 'd266c84e7f17eaabb2cbe13242ef7e554ba195a5'. information/cli: Verifying parent host connection information: host '10.27.1.197', port '5665'. information/cli: Using the following CN (defaults to FQDN): 'Icinga2Agent'. information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2/certs//Icinga2Agent.key'. information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2/certs//Icinga2Agent.crt'. information/cli: Verifying trusted certificate file 'C:\i2.crt'. information/cli: Requesting a signed certificate from the parent Icinga node. information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'. information/cli: Writing signed certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2/certs//Icinga2Agent.crt'. information/cli: Disabling the Notification feature. Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Updating the ApiListener feature. Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Created backup file 'C:\ProgramData\icinga2\etc\icinga2/features-available/api.conf.orig'. information/cli: Generating zone and object configuration. information/cli: Dumping config items to file 'C:\ProgramData\icinga2\etc\icinga2/zones.conf'. information/cli: Created backup file 'C:\ProgramData\icinga2\etc\icinga2/zones.conf.orig'. warning/cli: CN/Endpoint name 'Icinga2Agent' does not match the default FQDN 'aklimov-winnt'. Requires an update for the NodeName constant in constants.conf! information/cli: Updating 'NodeName' constant in 'C:\ProgramData\icinga2\etc\icinga2/constants.conf'. information/cli: Created backup file 'C:\ProgramData\icinga2\etc\icinga2/constants.conf.orig'. information/cli: Updating 'ZoneName' constant in 'C:\ProgramData\icinga2\etc\icinga2/constants.conf'. information/cli: Backup file 'C:\ProgramData\icinga2\etc\icinga2/constants.conf.orig' already exists. Skipping backup. information/cli: Make sure to restart Icinga 2. information/cli: Updating '"conf.d"' include in 'C:\ProgramData\icinga2\etc\icinga2/icinga2.conf'. information/cli: Created backup file 'C:\ProgramData\icinga2\etc\icinga2/icinga2.conf.orig'. information/cli: Make sure to restart Icinga 2. PS C:\Users\Administrator> & 'C:\Program Files\ICINGA2\sbin\icinga2.exe' --version icinga2.exe - The Icinga 2 network monitoring daemon (version: v2.13.1)

Didn’t even test r2.12.0-rc1-1 as master. If your master version is actually lower, upgrade it. We don’t support such cluster trees.

Icinga / icinga2