-
-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
icinga2 option generates self signed certificates that are rejected by master #332
Comments
That you describe is the expected behavior. For the very first time the client requires a self sign certificate to establish the connection a connection to the ca on the master to send a certificate request. The icinga2::feature::api class has to know the ticket salt from the master to authenticate its request against the master. |
But there is a security risk because at the moment the ticket salt is also written to the config api.conf on the client. See #325. |
So - with more debugging it looks like the ticket that is generated by the module is incorrect. In the puppet run I get:
However the correct ticket should be:
and when I pass it to the command it works fine:
Debugging further hoping to finally have a fix .... I set salt to TicketSalt that is set in /etc/icinga2/constants.conf using the module
|
Ok, looks strange. What happens if you set the ticket_salt of icinga2::feature::api directly on the client? |
I am not sure I understand the question. I set ticket_salt to the same value on both master and client using icinga2::feature::api. They are essentially identical. The ticket generated by the ruby code embedded in the module for some reason returns different value that the direct call to icinga2 does. |
Sorry I can't reproduce this. On my CentOS and Debian worked all fine. Please send your complete code. |
Ok, so I close this issue. |
I have the same error! |
How does your configuration look like? |
I mean the Puppet configuration/manifests, in order to reproduce the error. |
I'm having similar problems. Using
turned out to be quite helpful. The command should return:
Due to misconfiguration some of the certificates were issued by an incorrect master. |
Also observing the same issue. The certs are coming up self signed instead of signed by the ca. I've confirmed the ca.crt in /etc/icinga2/pki and /var/lib/icinga2/certs are the same (in this case, from the puppet master), and the client certs in both locations are self signed. |
Has this been addressed at some point? I'm also running into this issue, and so are many other people (at least according to Google search results). Not sure what to do about it, no real solution has been proposed so far. |
if you set $ticket_salt to the Ticket salt of the master node, the ticket on the node should be generated correctly. |
The procedure to configure a distributed setup is described in the docs. But the structure of the info could be better. See: class { '::icinga2': class { '::icinga2::pki::ca': } class { '::icinga2::feature::api': |
Something about this does not work for me. I've wiped the old PKI (CA and other certificates) and now try to setup everything from scratch. The ticket salt is set, and the CA cert is correctly retrieved and shown to me in the
It used to work fine in the past, so I'm pretty sure I've changed something and broke it, but there is essentially no debugging output. All I see is:
The certificate in
It should be signed / issued by Any idea how I can debug this further? I have already the |
Please post your manifest.
… On 25. Feb 2019, at 14:10, Karol Babioch ***@***.***> wrote:
Something about this does not work for me. I've wiped the old PKI (CA and other certificates) and now try to setup everything from scratch. The ticket salt is set, and the CA cert is correctly retrieved and shown to me in the node wizard. Then I'm asked for the salt. I'm executing the command on the master node and copy & paste the ticket salt over the the client, but after a while all I get is:
critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master 'xxx, 5665'. Please try again.
It used to work fine in the past, so I'm pretty sure I've changed something and broke it, but there is essentially no debugging output. All I see is:
certificate validation failed: code 18: self signed certificate
The certificate in /var/lib/icinga2/certs/ is self-signed and NOT signed by the CA, e.g.:
$ openssl x509 -noout -text -in *.crt | grep Issuer
Issuer: CN = xxx.xx
It should be signed / issued by Icinga CA, though, so something about the signing process is not working correctly :-/.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub <#332 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AEDqLYAglCjUSLfY3gY2cKwLyVemV2J9ks5vQ-C2gaJpZM4OKoiW>.
|
What exactly do you need and/or where do I find this manifest? What is really strange in my case is, that it works for one node, but not for the other. I've setup the whole environment multiple times now, just to be sure, but I can reproduce this and I'm not exactly sure how to best debug this. So what I did so far, is the following:
Not sure what is going on here, since it works for the one client, but not for the other one. It still successfully retrieved the root CA, so basic communication with the master's API is working. |
I've narrowed this bug down somewhat, but only now realized that this repository is dedicated to the Puppet module, but my bug is within Icinga 2 itself: Icinga/icinga2#6981 |
Expected Behavior
After running module on the new server the new icinga2 certificates are generated and signed by the master. New client is able to connect to the master.
Current Behavior
Currently certificates are generated as self-signed so master refuses the connections with the error:
Possible Solution
Additional step needs to be implemented to sign the certificate using token generated on master. The API call
/actions/generate-ticket
could be used.Steps to Reproduce (for bugs)
Context
I need to setup thousands of servers automatically in a clustered icinga2 environment. New servers should be able to connect to satellite/master automatically and securely without human involvement.
Your Environment
puppet module list
):puppet -V
): 4.10.1The text was updated successfully, but these errors were encountered: