Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #10641] API setup command incorrectly overwrites existing certificates #3670

Closed
icinga-migration opened this issue Nov 16, 2015 · 12 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Nov 16, 2015

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10641

Created by mfriedrich on 2015-11-16 09:51:04 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2015-11-26 07:15:05 +00:00)
Target Version: 2.4.1
Last Update: 2015-11-26 08:48:57 +00:00 (in Redmine)

Icinga Version: 2.4.0
Backport?: Already backported
Include in Changelog: 1

Changesets

2015-11-26 07:11:02 +00:00 by (unknown) 7f9337e

Use the NodeName constant in 'api setup'

fixes #10641

2015-11-26 07:12:13 +00:00 by (unknown) 05af1cb

Use the NodeName constant in 'api setup'

fixes #10641
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 20, 2015

Updated by jflach on 2015-11-20 14:06:51 +00:00

I could not reproduce this with 2.4 or the current master.

Icinga2 notified me certificates already existed and skipped the certificate creation, expected behaviour

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 21, 2015

Updated by gbeutner on 2015-11-21 03:38:23 +00:00

  • Status changed from New to Assigned
  • Assigned to set to mfriedrich
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 23, 2015

Updated by mfriedrich on 2015-11-23 14:58:41 +00:00

The client is setup as follows:

  • ca.crt, client.crt and client.key in /etc/icinga2/pki
  • nothing inside /etc/icinga2/pki

When api setup is executed, the content in /etc/icinga2/pki must not be overridden (/var/lib/icinga2/ca can be empty, and does not qualify for a check).

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 25, 2015

Updated by mfriedrich on 2015-11-25 14:27:48 +00:00

There's already a check for existing certificate key file in /etc/icinga2/pki so I'm not sure what happened last week during the tests.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by gbeutner on 2015-11-26 07:00:22 +00:00

Well, apparently it's not overwriting existing certificate files, but it's creating additional certificates:

acheron:~ gunnar$ ls -l i2/var/lib/icinga2/ca
ls: i2/var/lib/icinga2/ca: No such file or directory
acheron:~ gunnar$ ls -l i2/etc/icinga2/pki
total 24
-rw-r--r--  1 gunnar  staff  1826 Nov 25 17:23 acheron.beutner.name.crt
-rw-------  1 gunnar  staff  3247 Nov 25 17:23 acheron.beutner.name.key
-rw-r--r--  1 gunnar  staff  2025 Nov 25 17:23 ca.crt
acheron:~ gunnar$ sudo icinga2 api setup
information/cli: Generating new CA.
information/base: Writing private key to '/Users/gunnar/i2/var/lib/icinga2/ca/ca.key'.
information/base: Writing X509 certificate to '/Users/gunnar/i2/var/lib/icinga2/ca/ca.crt'.
information/cli: Generating new CSR in '/Users/gunnar/i2/etc/icinga2/pki/acheron.csr'.
information/base: Writing private key to '/Users/gunnar/i2/etc/icinga2/pki/acheron.key'.
information/base: Writing certificate signing request to '/Users/gunnar/i2/etc/icinga2/pki/acheron.csr'.
information/cli: Signing CSR with CA and writing certificate to '/Users/gunnar/i2/etc/icinga2/pki/acheron.crt'.
information/cli: Copying CA certificate to '/Users/gunnar/i2/etc/icinga2/pki/ca.crt'.
information/cli: Created backup file '/Users/gunnar/i2/etc/icinga2/pki/ca.crt.orig'.
information/cli: API user config file '/Users/gunnar/i2/etc/icinga2/conf.d/api-users.conf' already existing, skipping.
information/cli: Enabling the 'api' feature.
warning/cli: Feature 'api' already enabled.
Done.

Now restart your Icinga 2 daemon to finish the installation!

acheron:~ gunnar$ ls -l i2/etc/icinga2/pki
total 56
-rw-r--r--  1 gunnar  staff  1826 Nov 25 17:23 acheron.beutner.name.crt
-rw-------  1 gunnar  staff  3247 Nov 25 17:23 acheron.beutner.name.key
-rw-r--r--  1 gunnar  staff  1688 Nov 26 07:59 acheron.crt
-rw-r--r--  1 gunnar  staff  1582 Nov 26 07:59 acheron.csr
-rw-------  1 gunnar  staff  3247 Nov 26 07:59 acheron.key
-rw-r--r--  1 gunnar  staff  1696 Nov 26 07:59 ca.crt
-rw-r--r--  1 root    staff  2025 Nov 26 07:59 ca.crt.orig
acheron:~ gunnar$ 
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by gbeutner on 2015-11-26 07:01:38 +00:00

Oh, nevermind, it did overwrite one of the certificates: ca.crt

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by gbeutner on 2015-11-26 07:02:46 +00:00

  • Priority changed from Normal to High
  • Target Version set to 2.5.0
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by gbeutner on 2015-11-26 07:09:54 +00:00

  • Assigned to changed from mfriedrich to gbeutner
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by gbeutner on 2015-11-26 07:12:38 +00:00

  • Target Version changed from 2.5.0 to 2.4.1
  • Backport? changed from TBD to Yes
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by Anonymous on 2015-11-26 07:15:05 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 7f9337e.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by mfriedrich on 2015-11-26 07:46:53 +00:00

Hm ok thanks. My test setup does not modify the NodeName constant, just using fqdn :)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Nov 26, 2015

Updated by mfriedrich on 2015-11-26 08:48:57 +00:00

  • Subject changed from api setup incorrectly overwrites existing certificates to API setup command incorrectly overwrites existing certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.