[dev.icinga.com #12092] Icinga incorrectly disconnects all endpoints if one has a wrong certificate

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12092

Created by lbetz on 2016-07-04 08:03:05 +00:00

Assignee: mfriedrich
Status: Closed (closed on 2016-07-11 15:06:32 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-22 11:45:10 +00:00 (in Redmine)

Icinga Version: 2.4.10
Backport?: Not yet backported
Include in Changelog: 1

---

I saw it first when a customer reinstalled the icinga server and forgot to backup the CA. After created a new CA, of course all agent had wrong certificates. Now after configured some agents with new and correct certificates the log on this agents show the disconnect to the endpoint on the master/satellite, i.e. log of agent antlia and its parent sculptor:

[2016-07-04 09:52:30 +0200] warning/JsonRpcConnection: API client disconnected for identity 'sculptor'
[2016-07-04 09:52:30 +0200] warning/ApiListener: Removing API client for endpoint 'sculptor'. 0 API clients left.
[2016-07-04 09:52:30 +0200] information/JsonRpcConnection: Reconnecting to API endpoint 'sculptor' via host '172.16.2.11' and port '5665'
[2016-07-04 09:52:30 +0200] information/ApiListener: New client connection for identity 'sculptor'
[2016-07-04 09:52:30 +0200] information/ApiListener: Sending config updates for endpoint 'sculptor'.
[2016-07-04 09:52:30 +0200] information/ApiListener: Syncing runtime objects to endpoint 'sculptor'.
[2016-07-04 09:52:30 +0200] information/ApiListener: Finished sending config updates for endpoint 'sculptor'.
[2016-07-04 09:52:30 +0200] information/ApiListener: Sending replay log for endpoint 'sculptor'.
[2016-07-04 09:52:30 +0200] information/ApiListener: Finished sending replay log for endpoint 'sculptor'.

Data seem to reply to sculptor but only if the heartbeat notices that the connection isn't established.

That means if you have only one wrong cert all other agents with a correct one will be disconnected their connection. From this it follows that you have timing problems in your environment, because all data between endpoints will replied every 30 secs only.

---

Relations:

• relates #12100
• relates #12092

[icinga-migration]

Updated by mfriedrich on 2016-07-06 11:52:18 +00:00

• Status changed from New to Assigned
• Assigned to set to mfriedrich
• Priority changed from Normal to High

[icinga-migration]

Updated by mfriedrich on 2016-07-08 14:25:01 +00:00

• Relates set to 12100

[icinga-migration]

Updated by mfriedrich on 2016-07-11 15:06:32 +00:00

• Status changed from Assigned to Closed
• Target Version set to 2.5.0
• Done % changed from 0 to 100

Tested and resolved with #12100.

[icinga-migration]

Updated by mfriedrich on 2016-08-04 08:20:41 +00:00

• Relates set to 12309

[icinga-migration]

Updated by gbeutner on 2016-08-22 11:45:02 +00:00

• Subject changed from Disconnect all endpoints if one has a wrong cert to Icinga incorrectly disconnect all endpoints if one has a wrong certificate

[icinga-migration]

Updated by gbeutner on 2016-08-22 11:45:10 +00:00

• Subject changed from Icinga incorrectly disconnect all endpoints if one has a wrong certificate to Icinga incorrectly disconnects all endpoints if one has a wrong certificate