Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

[dev.icinga.com #12309] Icinga2 Clients are not connecting to their server #4433

Closed
icinga-migration opened this Issue Aug 4, 2016 · 11 comments

Comments

Projects
None yet
1 participant
Member

icinga-migration commented Aug 4, 2016

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12309

Created by balu on 2016-08-04 06:41:22 +00:00

Assignee: (none)
Status: Closed (closed on 2016-08-04 08:24:42 +00:00)
Target Version: (none)
Last Update: 2016-08-04 08:24:42 +00:00 (in Redmine)

Icinga Version: 2.4.10
Backport?: Not yet backported
Include in Changelog: 1

Hi,

I do not know, if it is a bug or it is my fault of a wrong configuration.

I have installed CentOS 7 with all updates to Aug 03 2016 and the packages of Icinga2 repo.

icinga2 - The Icinga 2 network monitoring daemon (version: v2.4.10)

Copyright (c) 2012-2016 Icinga Development Team (https://www.icinga.org/)
License GPLv2+: GNU GPL version 2 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Application information:
  Installation root: /usr
  Sysconf directory: /etc
  Run directory: /run
  Local state directory: /var
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

System information:
  Platform: CentOS Linux
  Platform version: 7 (Core)
  Kernel: Linux
  Kernel version: 3.10.0-327.22.2.el7.x86_64
  Architecture: x86_64

As backend postgresql as the preferred database. All clients are the same OS and updates. On the server, I did a node wizard setup with master settings for creating the salt and the certificates. On the client, I did this with client settings. Every step like its documented in your wiki. (it is not the fist setup)

Log of the client

[2016-08-04 08:37:01 +0200] warning/JsonRpcConnection: API client disconnected for identity 'icingaserver'
[2016-08-04 08:37:01 +0200] warning/ApiListener: Removing API client for endpoint 'icingaserver'. 0 API clients left.
[2016-08-04 08:37:05 +0200] information/JsonRpcConnection: Reconnecting to API endpoint 'icingaserver' via host 'icingaserver' and port '5665'
[2016-08-04 08:37:05 +0200] information/ApiListener: New client connection for identity 'icingaserver'
[2016-08-04 08:37:05 +0200] information/ApiListener: Sending config updates for endpoint 'icingaserver'.
[2016-08-04 08:37:05 +0200] information/ApiListener: Syncing runtime objects to endpoint 'icingaserver'.
[2016-08-04 08:37:05 +0200] information/ApiListener: Finished sending config updates for endpoint 'icingaserver'.
[2016-08-04 08:37:05 +0200] information/ApiListener: Sending replay log for endpoint 'icingaserver'.
[2016-08-04 08:37:05 +0200] information/ApiListener: Replayed 50 messages.
[2016-08-04 08:37:05 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingaserver'.

Log of the server

[2016-08-04 06:38:05 +0000] information/ApiListener: New client connection for identity 'icingaclient'
[2016-08-04 06:38:05 +0000] warning/TlsStream: OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

This seems a certificate issue. But if I do this command:

openssl verify -verbose -CAfile /etc/icinga2/pki/ca.crt /etc/icinga2/pki/icingaclient.crt
/etc/icinga2/pki/icingaclient.crt: OK

The CA of server and client are identical. I tested this with openssl connect and it says OK. Do I have missed something?

Thank you very much,
Ludwig


Relations:

Member

icinga-migration commented Aug 4, 2016

Updated by pef on 2016-08-04 07:46:58 +00:00

Just an idea: could you try the latest snapshot packages? The error message of the certificate verification has been improved there and might give you a hint what's going on.

Member

icinga-migration commented Aug 4, 2016

Updated by balu on 2016-08-04 08:02:52 +00:00

Hmm icinga does not start any more without a good error message ;) I will do some troubleshooting.

Member

icinga-migration commented Aug 4, 2016

Updated by balu on 2016-08-04 08:07:58 +00:00

Okay there is a mismatch between ido-pgsql. The daemon says, it necessary to install 1.14.1, but I am using 1.14.0.

For troubleshooting reason I disabled the ido. Now it works with 'icinga2 node update-config'

Member

icinga-migration commented Aug 4, 2016

Updated by mfriedrich on 2016-08-04 08:14:58 +00:00

The snapshot packages target 2.5.0 which involves an IDO schema upgrade found in upgrade/2.5.0.sql. Right now there are no more schema changes expected so you can safely upgrade it. If you prefer to step back to 2.4.10 for the time being, its backwards compatible (running 2.4.10 with 1.14.1 works, tested).

Member

icinga-migration commented Aug 4, 2016

Updated by mfriedrich on 2016-08-04 08:15:22 +00:00

  • Relates set to 12100
Member

icinga-migration commented Aug 4, 2016

Updated by mfriedrich on 2016-08-04 08:16:19 +00:00

  • Category set to Cluster
  • Status changed from New to Feedback
  • Assigned to set to balu

I assume it is the same issue as with #12100 and related linked issues. Thanks for the heads up @pef

Member

icinga-migration commented Aug 4, 2016

Updated by balu on 2016-08-04 08:17:24 +00:00

Thats very nice. Now everything works as expected. Thank you very much. Will this fix be in the next update? I don't want to stay on snapshot in production

Member

icinga-migration commented Aug 4, 2016

Updated by mfriedrich on 2016-08-04 08:19:46 +00:00

We've been heavily testing this fix and other related issues in a customer environment in the past weeks. Once we resolve the remaining notification issues the next release will be 2.5.0 including all of them, including the faulty client disconnect inherited from other ssl errors (other clients with wrong CA, and so on).

Member

icinga-migration commented Aug 4, 2016

Updated by mfriedrich on 2016-08-04 08:20:40 +00:00

  • Relates set to 12092
Member

icinga-migration commented Aug 4, 2016

Updated by balu on 2016-08-04 08:23:54 +00:00

Thanks michi. You guys are awesome. :) Feel free and close this ticket plz

Member

icinga-migration commented Aug 4, 2016

Updated by mfriedrich on 2016-08-04 08:24:42 +00:00

  • Status changed from Feedback to Closed
  • Assigned to deleted balu

Okidoki :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment