Empty icinga ca list

[HBrites9]

Describe the bug

Im creating the ticket for my icinga2-agen1.localdomain

[root@rocky icinga2]# icinga2 pki ticket --cn icinga2-agent1.localdomain 34f881e8ad1aef07440c4b4901fde5352793bbc5

I alredy did the icinga2 node wizard

Reconfiguring Icinga... Checking for existing certificates for common name 'icinga2-master1.localdomain'... Certificate '/var/lib/icinga2/certs//icinga2-master1.localdomain.crt' for CN 'icinga2-master1.localdomain' already existing. Skipping certificate generation. Generating master configuration for Icinga 2. 'api' feature already enabled.

Master zone name [master]:

Default global zones: global-templates director-global Do you want to specify additional global zones? [y/N]: Please specify the API bind host/port (optional): Bind Host []: Bind Port []:

Do you want to disable the inclusion of the conf.d directory [Y/n]: Disabling the inclusion of the conf.d directory... Checking if the api-users.conf file exists...

Done.

Now restart your Icinga 2 daemon to finish the installation!

[root@rocky icinga2]# systemctl restart icinga2 [root@rocky icinga2]# icinga2 feature enable api warning/cli: Feature 'api' already enabled.

[root@rocky icinga2]# icinga2 ca list Fingerprint	Timestamp	Signed	Subject

My ca list still empy

Somebody knows why?

[HBrites9]

In my-client

root@rocky etc]# icinga2 node wizard Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: b

Starting the Agent/Satellite setup routine...

Please specify the common name (CN) [rocky]: icinga2-agent1.localdomain

Please specify the parent endpoint(s) (master or satellite) where this node should connect to: Master/Satellite Common Name (CN from your master/satellite node): icinga2-master1.localdomain

Do you want to establish a connection to the parent node from this node? [Y/n]: y Please specify the master/satellite connection information: Master/Satellite endpoint host (IP address or FQDN): 192.168.122.31 Master/Satellite endpoint port [5665]:

Add more master/satellite endpoints? [y/N]: n critical/pki: Cannot connect to host '192.168.122.31' on port '5665' critical/cli: Peer did not present a valid certificate. [root@rocky etc]# icinga2 node wizard Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: y

Starting the Agent/Satellite setup routine...

Please specify the common name (CN) [rocky]: icinga2-agent1.localdomain

Please specify the parent endpoint(s) (master or satellite) where this node should connect to: Master/Satellite Common Name (CN from your master/satellite node): icinga2-master1.localdomain

Do you want to establish a connection to the parent node from this node? [Y/n]: y Please specify the master/satellite connection information: Master/Satellite endpoint host (IP address or FQDN): 192.168.122.31 Master/Satellite endpoint port [5665]:

Add more master/satellite endpoints? [y/N]: n critical/pki: Cannot connect to host '192.168.122.31' on port '5665' critical/cli: Peer did not present a valid certificate.

[xl3vo5]

I have the exact same problem. Did you solve this?

[Al2Klimov]

Hello @HBrites9!

critical/pki: Cannot connect to host '192.168.122.31' on port '5665' critical/cli: Peer did not present a valid certificate.

What does openssl s_client -connect 192.168.122.31:5665 -showcerts say? To be run on the same host where the node wizard complains of course.

[R-Sommer]

icinga2 ca list only shows certificate signing requests and working with tickets does not create such requests.

[Al2Klimov]

Do your nodes in question have got valid certificates after restart?