[dev.icinga.com #10641] API setup command incorrectly overwrites existing certificates

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10641

Created by mfriedrich on 2015-11-16 09:51:04 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2015-11-26 07:15:05 +00:00)
Target Version: 2.4.1
Last Update: 2015-11-26 08:48:57 +00:00 (in Redmine)

Icinga Version: 2.4.0
Backport?: Already backported
Include in Changelog: 1

---

Changesets

2015-11-26 07:11:02 +00:00 by (unknown) 7f9337e

Use the NodeName constant in 'api setup'

fixes #10641

2015-11-26 07:12:13 +00:00 by (unknown) 05af1cb

Use the NodeName constant in 'api setup'

fixes #10641

[icinga-migration]

Updated by jflach on 2015-11-20 14:06:51 +00:00

I could not reproduce this with 2.4 or the current master.

Icinga2 notified me certificates already existed and skipped the certificate creation, expected behaviour

[icinga-migration]

Updated by gbeutner on 2015-11-21 03:38:23 +00:00

• Status changed from New to Assigned
• Assigned to set to mfriedrich

[icinga-migration]

Updated by mfriedrich on 2015-11-23 14:58:41 +00:00

The client is setup as follows:

• ca.crt, client.crt and client.key in /etc/icinga2/pki
• nothing inside /etc/icinga2/pki

When api setup is executed, the content in /etc/icinga2/pki must not be overridden (/var/lib/icinga2/ca can be empty, and does not qualify for a check).

[icinga-migration]

Updated by mfriedrich on 2015-11-25 14:27:48 +00:00

There's already a check for existing certificate key file in /etc/icinga2/pki so I'm not sure what happened last week during the tests.

[icinga-migration]

Updated by gbeutner on 2015-11-26 07:00:22 +00:00

Well, apparently it's not overwriting existing certificate files, but it's creating additional certificates:

acheron:~ gunnar$ ls -l i2/var/lib/icinga2/ca
ls: i2/var/lib/icinga2/ca: No such file or directory
acheron:~ gunnar$ ls -l i2/etc/icinga2/pki
total 24
-rw-r--r--  1 gunnar  staff  1826 Nov 25 17:23 acheron.beutner.name.crt
-rw-------  1 gunnar  staff  3247 Nov 25 17:23 acheron.beutner.name.key
-rw-r--r--  1 gunnar  staff  2025 Nov 25 17:23 ca.crt
acheron:~ gunnar$ sudo icinga2 api setup
information/cli: Generating new CA.
information/base: Writing private key to '/Users/gunnar/i2/var/lib/icinga2/ca/ca.key'.
information/base: Writing X509 certificate to '/Users/gunnar/i2/var/lib/icinga2/ca/ca.crt'.
information/cli: Generating new CSR in '/Users/gunnar/i2/etc/icinga2/pki/acheron.csr'.
information/base: Writing private key to '/Users/gunnar/i2/etc/icinga2/pki/acheron.key'.
information/base: Writing certificate signing request to '/Users/gunnar/i2/etc/icinga2/pki/acheron.csr'.
information/cli: Signing CSR with CA and writing certificate to '/Users/gunnar/i2/etc/icinga2/pki/acheron.crt'.
information/cli: Copying CA certificate to '/Users/gunnar/i2/etc/icinga2/pki/ca.crt'.
information/cli: Created backup file '/Users/gunnar/i2/etc/icinga2/pki/ca.crt.orig'.
information/cli: API user config file '/Users/gunnar/i2/etc/icinga2/conf.d/api-users.conf' already existing, skipping.
information/cli: Enabling the 'api' feature.
warning/cli: Feature 'api' already enabled.
Done.

Now restart your Icinga 2 daemon to finish the installation!

acheron:~ gunnar$ ls -l i2/etc/icinga2/pki
total 56
-rw-r--r--  1 gunnar  staff  1826 Nov 25 17:23 acheron.beutner.name.crt
-rw-------  1 gunnar  staff  3247 Nov 25 17:23 acheron.beutner.name.key
-rw-r--r--  1 gunnar  staff  1688 Nov 26 07:59 acheron.crt
-rw-r--r--  1 gunnar  staff  1582 Nov 26 07:59 acheron.csr
-rw-------  1 gunnar  staff  3247 Nov 26 07:59 acheron.key
-rw-r--r--  1 gunnar  staff  1696 Nov 26 07:59 ca.crt
-rw-r--r--  1 root    staff  2025 Nov 26 07:59 ca.crt.orig
acheron:~ gunnar$ 

[icinga-migration]

Updated by gbeutner on 2015-11-26 07:01:38 +00:00

Oh, nevermind, it did overwrite one of the certificates: ca.crt

[icinga-migration]

Updated by gbeutner on 2015-11-26 07:02:46 +00:00

• Priority changed from Normal to High
• Target Version set to 2.5.0

[icinga-migration]

Updated by gbeutner on 2015-11-26 07:09:54 +00:00

• Assigned to changed from mfriedrich to gbeutner

[icinga-migration]

Updated by gbeutner on 2015-11-26 07:12:38 +00:00

• Target Version changed from 2.5.0 to 2.4.1
• Backport? changed from TBD to Yes

[icinga-migration]

Updated by Anonymous on 2015-11-26 07:15:05 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 0 to 100

Applied in changeset 7f9337e.

[icinga-migration]

Updated by mfriedrich on 2015-11-26 07:46:53 +00:00

Hm ok thanks. My test setup does not modify the NodeName constant, just using fqdn :)

[icinga-migration]

Updated by mfriedrich on 2015-11-26 08:48:57 +00:00

• Subject changed from api setup incorrectly overwrites existing certificates to API setup command incorrectly overwrites existing certificates