0

According to the documentation on https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/, all nodes in an Icinga Monitoring need to have one CA which is on the master node. But I think, I miss something here, because the agent is normally only talking to the satellite and not to the master and so TLS can't be correct.

I have a master node, multiple satellites and agents behind that satellites. The master has a CA. The satellites and most of the >20 agents are working fine. I'm using Ansible to manage all the installation and configuration - so the configuration is similar to all agents. Furthermore the master is a docker container - but that isn't a problem here. Only one single agent on one satellite has a problem. Maybe that is problem of first setup (without satellites). I removed all the PKI informations on the agent and started again.

I did the following:

agent> icinga2 pki save-cert \
               --key agent.key --cert agent.crt \
               --trustedcert master.crt \
               --host ${masterhost} --port ${masterport}

On the master I created a ticket

master> icinga2 icinga2 pki ticket --cn ${agent}

So I get the agent ticket.

Then I requested the certificate.

agent> icinga2 pki request \
               --host ${masterhost} --port ${masterport} \
               --ticket ${agentticket} \
               --key agent.key --cert agent.crt \
               --trustedcert master.crt --ca /etc/icinga2/pki/ca.key

Now I think, the agent would communicate with the master. But it should not communicate with the master but with the satellite.

The zones configuration is:

/* Agent /etc/icinga2/zones.conf */

/* Define Monitoring Master Endpoint */
object Endpoint "satellite1.network" {
  host = "ip"
  port = "5665"
}

/* Define Monitoring Master Zone */
object Zone "satellite1.network" {
  endpoints = [ "satellite1.network" ]
}

/* Define Monitoring Agent Endpoint (this host) */
object Endpoint NodeName {
  host = NodeName
}

/* Define Monitoring Agent Zone */
object Zone ZoneName {
  endpoints = [ NodeName ]
  parent = "satellite1.network"
}

So, the agent doesn't know about the master, it communicated only to the satellite host. So - it happens what must happen on the satellite. It is ignoring the agent, because it doesn't know the certificate.

satellite> tail /var/log/icinga2/icinga2.log
...
... warning/ApiListener: Certificate validation failed for endpoint 'agent': code 18: self signed certificate
...

So, I did the things above not against the master, but against the satellite (replacing the masterhost with satellitehost. But that ends with the situation, that the satellite needs its own CA (which isn't was in documented in the manual). I could create one. But is this correct?

TRW
  • 438
  • 3
  • 14
  • Did you found a solution to this? – gxx Nov 15 '20 at 16:07
  • Yes and no. There is only one CA and that is on the master. The agent is talking (after the pki setup) always with the satellite. Only for the PKI setup the master needs to be available for the agent. That is a fact. The "no" means - I'm not 100% sure, what I did - but I think, the zone-definition on my satellite was wrong. In my case, the master is populating the zone-configuration under /etc/icinga/zone.d/. There is a dir satellite.network and that must contains a zone.conf with all agents with parent as satellite.network. In /etc/icinga2/zones.conf are all satellites with master as endpoint – TRW Nov 16 '20 at 17:22
  • So, in that case (everything is really good configured) - the satellite seems to know about the agents certificates. That sounds like magic - and that isn't good. Also - it could be possible, that this happens in my case, because in the first setup all agents are connected directly to the master and I didn't really removed anything. Also possible is, that the master didnt know about the future organisation (zone wasn't defined) but it checks during PKI setup where the agent is located and integrates it in a wrong certificate path - I don't know...yet. – TRW Nov 16 '20 at 17:35

0 Answers0