Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement support for migrating certificates to /var/lib/icinga2/certs #5682

Merged
merged 1 commit into from Oct 20, 2017
Merged

Implement support for migrating certificates to /var/lib/icinga2/certs #5682

merged 1 commit into from Oct 20, 2017

Conversation

gunnarbeutner
Copy link
Contributor

@gunnarbeutner gunnarbeutner commented Oct 16, 2017
edited

fixes #5679

@gunnarbeutner gunnarbeutner added this to the 2.8.0 milestone Oct 16, 2017
@gunnarbeutner gunnarbeutner added area/distributed Distributed monitoring (master, satellites, clients) area/configuration DSL, parser, compiler, error handling area/documentation End-user or developer help labels Oct 16, 2017
@dnsmichi
Copy link
Contributor

Fixed the example configuration and slightly adopted the docs. Will continue with my review.

@gunnarbeutner gunnarbeutner force-pushed the feature/cert-migration branch 2 times, most recently from 7b9475a to e9c793b Compare October 19, 2017 07:29
@dnsmichi
Copy link
Contributor

Tests

mbmif /usr/local/icinga2 (master *) # ls -lah etc/icinga2/pki
total 48
drwxr-xr-x   7 icinga  icinga   224B Aug 23 16:33 .
drwxr-xr-x  25 icinga  icinga   800B Oct 10 20:18 ..
-rw-r--r--   1 icinga  icinga   1.7K Aug 20  2016 ca.crt
-rw-r--r--   1 icinga  icinga   1.7K Aug 20  2016 mbmif.int.netways.de.crt
-rw-r--r--   1 icinga  icinga   1.6K Aug 20  2016 mbmif.int.netways.de.csr
-rw-------   1 icinga  icinga   3.2K Aug 20  2016 mbmif.int.netways.de.key
-rw-r--r--   1 root    icinga   5.9K Aug 23 16:34 test.csr
mbmif /usr/local/icinga2 (master *) # ls -lah var/lib/icinga2/
total 344
drwxr-xr-x  7 icinga  icinga   224B Oct 19 16:55 .
drwxr-xr-x  3 icinga  icinga    96B Sep  9  2015 ..
drwxr-xr-x  7 icinga  icinga   224B Jan 21  2016 api
drwx------  6 icinga  icinga   192B Aug 23 16:09 ca
-rw-------  1 icinga  icinga   171K Oct 17 09:03 icinga2.state
-rw-r--r--  1 icinga  icinga     0B Oct 17 09:03 modified-attributes.conf
drwx------  3 icinga  icinga    96B Nov 24  2015 repository

Copying the file fails due to missing certs directory.

mbmif /usr/local/icinga2 (master *) # icinga2 daemon
[2017-10-19 16:56:35 +0200] information/cli: Icinga application loader (version: v2.7.1-263-g83e89639d; debug)
[2017-10-19 16:56:35 +0200] information/cli: Loading configuration file(s).
[2017-10-19 16:56:36 +0200] information/ConfigItem: Committing config item(s).
[2017-10-19 16:56:36 +0200] warning/ApiListener: Attribute 'key_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-19 16:56:36 +0200] warning/ApiListener: Attribute 'ca_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-19 16:56:36 +0200] warning/ApiListener: Attribute 'cert_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-19 16:56:36 +0200] warning/ApiListener: Copying '/usr/local/icinga2/etc/icinga2/pki/mbmif.int.netways.de.crt' certificate file to '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt'
[2017-10-19 16:56:36 +0200] warning/ApiListener: Copying '/usr/local/icinga2/etc/icinga2/pki/mbmif.int.netways.de.crt' key file to '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt'
[2017-10-19 16:56:36 +0200] warning/ApiListener: Copying '/usr/local/icinga2/etc/icinga2/pki/mbmif.int.netways.de.crt' CA certificate file to '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt'
[2017-10-19 16:56:36 +0200] critical/SSL: Error on bio X509 AUX reading pem file '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt': 33558530, "error:02001002:lib(2):func(1):reason(2)"
[2017-10-19 16:56:36 +0200] critical/config: Error: Cannot get certificate from cert path: '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt'.
Location: in /usr/local/icinga2/etc/icinga2/features-enabled/api.conf: 4:1-4:24
/usr/local/icinga2/etc/icinga2/features-enabled/api.conf(2):  * The API listener is used for distributed monitoring setups.
/usr/local/icinga2/etc/icinga2/features-enabled/api.conf(3):  */
/usr/local/icinga2/etc/icinga2/features-enabled/api.conf(4): object ApiListener "api" {
                                                             ^^^^^^^^^^^^^^^^^^^^^^^^
/usr/local/icinga2/etc/icinga2/features-enabled/api.conf(5):   cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
/usr/local/icinga2/etc/icinga2/features-enabled/api.conf(6):   key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"

[2017-10-19 16:56:36 +0200] critical/config: 1 error
mbmif /usr/local/icinga2 (master *) # ls -lah /usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt
ls: /usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt: No such file or directory
mbmif /usr/local/icinga2 (master *) # ls -lah /usr/local/icinga2/var/lib/icinga2/certs/
ls: /usr/local/icinga2/var/lib/icinga2/certs/: No such file or directory

Will continue with a fix.

@dnsmichi
Copy link
Contributor

Copy paste errors with duplicated code. I've moved that into a generic function to avoid code duplication.

mbmif /usr/local/icinga2 (master *) # icinga2 daemon
[2017-10-20 09:52:26 +0200] information/cli: Icinga application loader (version: v2.7.1-263-g83e89639d; debug)
[2017-10-20 09:52:26 +0200] information/cli: Loading configuration file(s).
[2017-10-20 09:52:26 +0200] information/ConfigItem: Committing config item(s).
[2017-10-20 09:52:26 +0200] warning/ApiListener: Attribute 'key_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-20 09:52:26 +0200] warning/ApiListener: Attribute 'ca_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-20 09:52:26 +0200] warning/ApiListener: Attribute 'cert_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-20 09:52:26 +0200] warning/ApiListener: Copying '/usr/local/icinga2/etc/icinga2/pki/mbmif.int.netways.de.crt' certificate file to '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.crt'
[2017-10-20 09:52:26 +0200] warning/ApiListener: Copying '/usr/local/icinga2/etc/icinga2/pki/mbmif.int.netways.de.key' certificate file to '/usr/local/icinga2/var/lib/icinga2/certs//mbmif.int.netways.de.key'
[2017-10-20 09:52:26 +0200] warning/ApiListener: Copying '/usr/local/icinga2/etc/icinga2/pki/ca.crt' certificate file to '/usr/local/icinga2/var/lib/icinga2/certs//ca.crt'
[2017-10-20 09:52:26 +0200] information/ApiListener: My API identity: mbmif.int.netways.de

@dnsmichi dnsmichi mentioned this pull request Oct 20, 2017
Merged
@dnsmichi
Copy link
Contributor

This change should be as much visible as possible. Therefore we should log a message which includes an URL to the upgrading docs.

mbmif /usr/local/icinga2 (master *) # icinga2 daemon
[2017-10-20 13:49:53 +0200] information/cli: Icinga application loader (version: v2.7.1-272-g643ad2096; debug)
[2017-10-20 13:49:53 +0200] information/cli: Loading configuration file(s).
[2017-10-20 13:49:53 +0200] information/ConfigItem: Committing config item(s).
[2017-10-20 13:49:53 +0200] warning/ApiListener: Attribute 'key_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-20 13:49:53 +0200] warning/ApiListener: Attribute 'ca_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-20 13:49:53 +0200] warning/ApiListener: Attribute 'cert_path' for object 'api' of type 'ApiListener' is deprecated and should not be used.
[2017-10-20 13:49:53 +0200] warning/ApiListener: Please read the upgrading documentation for v2.8: https://www.icinga.com/docs/icinga2/latest/doc/16-upgrading-icinga-2/
[2017-10-20 13:49:53 +0200] information/ApiListener: My API identity: mbmif.int.netways.de

@gunnarbeutner
Implement support for migrating certificates to /var/lib/icinga2/certs
f2d437e 
This commit includes documentation too.

Signed-off-by: Michael Friedrich <michael.friedrich@icinga.com>
@dnsmichi dnsmichi merged commit a5b949b into master Oct 20, 2017
@dnsmichi dnsmichi deleted the feature/cert-migration branch November 8, 2017 11:51
@dnsmichi dnsmichi added the enhancement New feature or request label Nov 15, 2017
@dnsmichi dnsmichi removed the area/documentation End-user or developer help label Jan 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnsmichi dnsmichi dnsmichi approved these changes

Assignees
No one assigned
Labels
area/configuration DSL, parser, compiler, error handling area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.

Migration path for improved certificate signing in the cluster
2 participants
@gunnarbeutner @dnsmichi