[dev.icinga.com #12901] Master won't accept satellite's cert created by node wizard. #4728

icinga-migration · 2016-10-12T14:08:55Z

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12901

Created by niklasmyr on 2016-10-12 14:08:55 +00:00

Assignee: (none)
Status: New
Target Version: (none)
Last Update: 2016-10-12 14:08:55 +00:00 (in Redmine)

Icinga Version: 2.5.4-1~debmon8+4
Backport?: Not yet backported
Include in Changelog: 1

Hi,

When I'm trying to setup a new node with the node wizard I get the following in debuglog:

[2016-10-12 15:42:45 +0200] information/ApiListener: New client connection for identity 'SAhotfixdev01.sasverige.se' from [192.168.111.25]:48744 (certificate validation failed: code 18: self signed certificate)
[2016-10-12 15:42:45 +0200] notice/JsonRpcConnection: Received 'pki::RequestCertificate' message from 'SAhotfixdev01.sasverige.se'
[2016-10-12 15:42:45 +0200] warning/JsonRpcConnection: API client disconnected for identity 'SAhotfixdev01.sasverige.se'
[2016-10-12 15:42:45 +0200] debug/ApiListener: Not connecting to Endpoint 'SAhotfixdev01.sasverige.se' because the host/port attributes are missing.
[2016-10-12 15:43:45 +0200] debug/ApiListener: Not connecting to Endpoint 'SAhotfixdev01.sasverige.se' because the host/port attributes are missing.
[2016-10-12 15:44:45 +0200] debug/ApiListener: Not connecting to Endpoint 'SAhotfixdev01.sasverige.se' because the host/port attributes are missing.
[2016-10-12 15:46:45 +0200] debug/ApiListener: Not connecting to Endpoint 'SAhotfixdev01.sasverige.se' because the host/port attributes are missing.

I noticed that it fails the ssl verification due to it being selfsigned which never happened to my other satellites. However I tried to import the satellites CA on the Master node and then I can verify the cert with openssl verify -verbose SAhotfixdev01.sasverige.se.crt
SAhotfixdev01.sasverige.se.crt: OK

But it still won't work. Both master and satellite is using OpenSSL: 1.0.1t-1+deb8u5.

The text was updated successfully, but these errors were encountered:

dnsmichi · 2017-01-25T16:34:19Z

I'm not really sure what's the problem here. The first three log lines illustrate how a client with its self signed certificate connects to the master, send in a certificate request (including the pki ticket you've pasted into the node wizard cli command on the client) and then the client disconnects again. Thus it received the signed certificate and will update the locally (that's what node wizard is doing).

Is this still a problem on your side?

dnsmichi · 2017-03-09T14:54:25Z

Closing for no feedback received. I believe the issue on your side has been fixed.

icinga-migration added bug Something isn't working area/api REST API labels Jan 17, 2017

dnsmichi added the needs feedback We'll only proceed once we hear from you again label Jan 25, 2017

dnsmichi removed the bug Something isn't working label Feb 10, 2017

dnsmichi closed this as completed Mar 9, 2017

dnsmichi added area/distributed Distributed monitoring (master, satellites, clients) and removed area/api REST API needs feedback We'll only proceed once we hear from you again labels Mar 9, 2017

mngoe mentioned this issue Nov 18, 2017

icinga2 option generates self signed certificates that are rejected by master Icinga/puppet-icinga2#405

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[dev.icinga.com #12901] Master won't accept satellite's cert created by node wizard. #4728

[dev.icinga.com #12901] Master won't accept satellite's cert created by node wizard. #4728

icinga-migration commented Oct 12, 2016

dnsmichi commented Jan 25, 2017

dnsmichi commented Mar 9, 2017

[dev.icinga.com #12901] Master won't accept satellite's cert created by node wizard. #4728

[dev.icinga.com #12901] Master won't accept satellite's cert created by node wizard. #4728

Comments

icinga-migration commented Oct 12, 2016

dnsmichi commented Jan 25, 2017

dnsmichi commented Mar 9, 2017