0

I have one Icinga2 master (mon-master) and one Icinga2 client (cl0). Both are Icinga2 v2.6.3. Today I successfully ran 'icinga2 node wizard' on cl0 but there seems to be something wrong with the certs. When I attempt to start Icinga2 on cl0 I see:

critical/SSL: Error on bio X509 AUX reading pem file '/etc/icinga2/pki/cl1-snmp.polyp.net.crt': 0, "error:00000000:lib(0):func(0):reason(0)"
critical/config: Error: Cannot get certificate from cert path: '/etc/icinga2/pki/cl1-snmp.polyp.net.crt'.
Location: in /etc/icinga2/features-enabled/api.conf: 5:1-5:24
/etc/icinga2/features-enabled/api.conf(3):  */
/etc/icinga2/features-enabled/api.conf(4):
/etc/icinga2/features-enabled/api.conf(5): object ApiListener "api" {
                                           ^^^^^^^^^^^^^^^^^^^^^^^^
/etc/icinga2/features-enabled/api.conf(6):   cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
/etc/icinga2/features-enabled/api.conf(7):   key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"

All the perms are correct on the files in /etc/icinga2/pki:

-rw-r--r-- 1 root   root   1720 May 12 08:59 ca.crt
-rw-r--r-- 1 icinga icinga   54 May 12 08:59 cl1-snmp.polyp.net.crt
-rw------- 1 icinga icinga 3243 May 12 08:57 cl1-snmp.polyp.net.crt.key
mr.zog
  • 902
  • 3
  • 16
  • 36
  • The slaves need to send data to this master at a hostname or IP that is different from what the master knows itself as. There is a VIP that sits between the master and all the slaves and that VIP resolves to www-master not mon-master. All inbound traffic that hits the VIP is sent to mon-master's IP. – mr.zog May 12 '17 at 20:05

1 Answers1

0

I needed to update the IDO schema, believe it or not. 

mysql -u root -p icinga < 2.6.0.sql

After that, the cert errors went away and Icinga2 would start.

mr.zog
  • 902
  • 3
  • 16
  • 36