[BUG] API feature wrongfully disabled at the end of agent setup

[Kaelnor]

Hi,

I came across a bug while trying to deploy the Icinga2 Agent using the framework.
For reference, I'm integrating things with saltstack and tickets are generated in advance for each agent to be installed and connected to the master. The ca.crt is fetched directly by the agent during the signing process and not shared or copied beforehand.

I was using the now deprecated icinga-powershell-module for some time and everything worked fine.

Expected Behavior

The framework generates and sign the agent certificate using the ca.crt fetched from the master.
Default features are enabled after a successful install.

Current Behavior

After correctly generating and signing the certificate while installing the agent, the framework disables the API feature because it thinks that the ca.crt file is missing or not provided.

Possible Solution

I think the check after the certificate install process is wrong or not specific enough:

icinga-powershell-framework/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1

Line 564 in ac02ec7

if ($EmptyCA -eq $TRUE -Or $CertsInstalled -eq $FALSE) {

$EmptyCA is indeed True when I execute Start-IcingaAgentInstallWizard because at the beginning I don't have the CA file available. However, during the icinga2 pki request process, the CA file is fetched and correctly written in the certificate directory.

Steps to Reproduce (for bugs)

Here is the command executed for the installation

PS C:\Users\Administrator> Start-IcingaAgentInstallWizard `
 -UseDirectorSelfService 0 `
 -PackageSource 'https://packages.icinga.com/windows/' `
 -AllowVersionChanges 1 `
 -AgentVersion 'release' `
 -Endpoints master.example.com `
 -CAPort 5665 `
 -AcceptConnections 1`
 -CAFile ''`
 -EmptyCA 1`
 -AcceptConnections 1 `
 -AddFirewallRule 0 `
 -ConvertEndpointIPConfig 0 `
 -ParentZone master `
 -AddDirectorGlobal 1 `
 -AddGlobalTemplates 1 `
 -GlobalZones @() `
 -CAEndpoint 1.2.3.4 `
 -EmptyTicket 0 `
 -Ticket 'thisisaticket123456789' `
 -ServiceUser LocalSystem `
 -InstallFrameworkPlugins 1 `
 -PluginsUrl 'https://github.com/Icinga/icinga-powershell-plugins/archive/v1.1.0/v1.1.0.zip' `
 -InstallFrameworkService 1 `
 -FrameworkServiceUrl 'https://github.com/Icinga/icinga-powershell-service/releases/download/v1.1.0/icinga-service-v1.1.0.zip' `
 -ServiceDirectory 'C:\Program Files\icinga-framework-service\' `
 -ServiceBin 'C:\Program Files\icinga-framework-service\icinga-service.exe' `
 -RunInstaller

And here are the relevant log lines from the installation process:

[Warning]: Your ca.crt is not present. Manuall copy or fetching from your Icinga CA is required.
[Notice]: information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\ca.crt'.
information/cli: Writing signed certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\client.example.com.crt'.
[Notice]: Icinga certificates successfully installed
[Notice]: Api configuration has been written successfully
[Notice]: Feature "api" was successfully disabled
[Warning]: Your Icinga Agent API feature has been disabled. Please provide either your ca.crt or connect to a parent node for certificate requests. You can run "Install-IcingaAgentCertificates" with your configuration to properly create the host certificate and a valid certificate request. After this you can enable the API feature by using "Enable-IcingaAgentFeature api" and restart the Icinga Agent service "Restart-IcingaService icinga2"

If I manually enable the API and declare the zone and endpoint on the master, both connect successfully:

[2020-08-26 17:32:40 +0200] warning/JsonRpcConnection: API client disconnected for identity 'client.example.com'
[2020-08-26 17:32:40 +0200] warning/ApiListener: Removing API client for endpoint 'client.example.com'. 0 API clients left.
[2020-08-26 17:32:43 +0200] information/ApiListener: Reconnecting to endpoint 'client.example.com' via host 'client.example.com' and port '5665'
[2020-08-26 17:32:43 +0200] information/ApiListener: New client connection for identity 'client.example.com' to [4.3.2.1]:5665
[2020-08-26 17:32:43 +0200] information/ApiListener: Sending config updates for endpoint 'client.example.com' in zone 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Syncing configuration files for global zone 'global-templates' to endpoint 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Finished sending config file updates for endpoint 'client.example.com' in zone 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Syncing runtime objects to endpoint 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'client.example.com' in zone 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Sending replay log for endpoint 'client.example.com' in zone 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Finished sending replay log for endpoint 'client.example.com' in zone 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Finished syncing endpoint 'client.example.com' in zone 'client.example.com'.
[2020-08-26 17:32:43 +0200] information/ApiListener: Finished reconnecting to endpoint 'client.example.com' via host 'client.example.com' and port '5665'
[2020-08-26 17:32:43 +0200] information/JsonRpcConnection: Received certificate request for CN 'client.example.com' signed by our CA.
[2020-08-26 17:32:43 +0200] information/JsonRpcConnection: The certificate for CN 'client.example.com' is valid and uptodate. Skipping automated renewal.

Context

A simple installation process of the icinga2 agent. Both the agent and the master are on the same network. CA is available through the master API and the generated ticket is provided at install time.

Your Environment

• PowerShell Version used ($PSVersionTable.PSVersion): 5.1.14393.2273

• Operating System and version (Get-IcingaWindowsInformation Win32_OperatingSystem | Select-Object Version, BuildNumber, Caption):

Caption : Microsoft Windows Server 2016 Standard
OSArchitecture : 64-bit
Version : 10.0.14393
BuildNumber : 14393

[LordHepipud]

Thank you very much for the report. I will have a look onto this!

[LordHepipud]

Just out of curiosity: What happens if you remove these arguments?

-CAFile ''
-EmptyCA 1

Because I just saw your -CAEndpoint is set, which means you do not require to set this as far as I'm concerned.

[Kaelnor]

Thanks for opening this issue so quickly.

I tried the following in order:

1. Uninstall the agent with the Uninstall-IcingaAgent cmdlet.
2. Let the certificates from the previous setup in place.
3. Ran the Start-IcingaAgentInstallWizard again without setting EmptyCA and CAFile arguments.

However, as you can see in the log below, the installer asks Is your public Icinga 2 CA (ca.crt) available on a local, network or web share? if these arguments are not set. If I answer no, it sets them to their default values.

For what it's worth, I also get the same result when omitting either EmptyCA or CAFile and setting the other one.

Ideally, as I need to automate the process, I need to be able to execute the cmdlet without any interactive input so that's why I specified everything in the first place.

Is your public Icinga 2 CA (ca.crt) available on a local, network or web share? (Y/n): n
[Notice]: Downloading "Icinga Plugins" into "C:\Users\Administrator\AppData\Local\Temp\2\tmp_icinga839064050.d"
[Notice]: Installing module into "C:\Users\Administrator\AppData\Local\Temp\2\tmp_icinga839064050.d"
[Notice]: Using content of folder "C:\Users\Administrator\AppData\Local\Temp\2\tmp_icinga839064050.d\icinga-powershell-plugins-1.1.0" for updates
[Notice]: Copying files to Plugins
[Notice]: Cleaning temporary content
[Notice]: Unblocking Icinga PowerShell Files
[Notice]: Icinga Plugins update has been completed. Please start a new PowerShell to apply it
[Notice]: The wizard is complete. These are the configured settings:
========
-AcceptConnections 1
-CAFile ''
-EmptyCA 1
-InstallFrameworkPlugins 1
-PluginsUrl 'https://github.com/Icinga/icinga-powershell-plugins/archive/v1.1.0/v1.1.0.zip'
-RunInstaller

========
====
Start-IcingaAgentInstallWizard -AcceptConnections 1 -CAFile '' -EmptyCA 1 -InstallFrameworkPlugins 1 -PluginsUrl 'https://github.com/Icinga/icinga-powershell-plugins/archive/v1.1.0/v1.1.0.zip' -RunInstaller
====
[Notice]: Downloading Icinga 2 Agent installer "Icinga2-v2.12.0-x86_64.msi" into temp directory "C:\Users\ADMINI~1\AppData\Local\Temp\2\Icinga2-v2.12.0-x86_64.msi"
[Notice]: Installing new Icinga Agent version into "C:\Program Files\ICINGA2"
[Notice]: Icinga Agent was successfully installed
[Notice]: A backup of your default configuration is not required. A backup was already made
[Notice]: Your hostname was successfully changed to "client.example.com"
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writeable by the Icinga Service User "NT Authority\SYSTEM"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writeable by the Icinga Service User "NT Authority\SYSTEM"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and writeable by the Icinga Service User "NT Authority\SYSTEM"
[Notice]: Service User successfully updated
[Notice]: Updating Icinga PowerShell Service binary
[Notice]: Stopping Icinga PowerShell service
[Notice]: Stopping service "icingapowershell"
[Warning]: The Icinga PowerShell Service is already installed
[Notice]: Service User successfully updated
[Notice]: Restarting service "icingapowershell"
[Notice]: Stopping service "icingapowershell"
[Notice]: Starting Icinga PowerShell service
[Notice]: Starting service "icingapowershell"
[Notice]: Service User successfully updated
[Notice]: Background daemon Cmdlet "Start-IcingaServiceCheckDaemon" has been configured
[Notice]: This feature is already disabled [checker]
[Notice]: This feature is already disabled [notification]
[Notice]: This feature is already enabled [api]
[Notice]: Icinga host certificates are present and valid. No generation required
[Notice]: Your trusted-parent.crt is present. No fetching or generation required
[Notice]: Your ca.crt is present. No generation or fetching required
[Notice]: Api configuration has been written successfully
[Notice]: Feature "api" was successfully disabled
[Warning]: Your Icinga Agent API feature has been disabled. Please provide either your ca.crt or connect to a parent node for certificate requests. You can run "Install-IcingaAgentCertificates" with your configuration to properly create the host certificate and a valid cer
tificate request. After this you can enable the API feature by using "Enable-IcingaAgentFeature api" and restart the Icinga Agent service "Restart-IcingaService icinga2"
[Notice]: Icinga Agent zones.conf has been written successfully
[Passed]: Icinga Agent service is installed
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writeable by the Icinga Service User "NT Authority\SYSTEM"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writeable by the Icinga Service User "NT Authority\SYSTEM"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and writeable by the Icinga Service User "NT Authority\SYSTEM"
[Passed]: Icinga Agent configuration is valid
[Passed]: Icinga Agent debug log is disabled
[Notice]: Restarting service "icingapowershell"
[Notice]: Restarting service "icinga2"

[LordHepipud]

This is a weird behavior and I'm currently not sure on why this occures. I will try some additional tests and check on how we can resolve this. The connection to Icinga and the execution of checks is working as expected?

[Kaelnor]

I can confirm that everything works fine after I manually enable the API feature at the end.