According to the documentation on https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/, all nodes in an Icinga Monitoring need to have one CA which is on the master node. But I think, I miss something here, because the agent is normally only talking to the satellite and not to the master and so TLS can't be correct.
I have a master node, multiple satellites and agents behind that satellites. The master has a CA. The satellites and most of the >20 agents are working fine. I'm using Ansible to manage all the installation and configuration - so the configuration is similar to all agents. Furthermore the master is a docker container - but that isn't a problem here. Only one single agent on one satellite has a problem. Maybe that is problem of first setup (without satellites). I removed all the PKI informations on the agent and started again.
I did the following:
agent> icinga2 pki save-cert \
--key agent.key --cert agent.crt \
--trustedcert master.crt \
--host ${masterhost} --port ${masterport}
On the master I created a ticket
master> icinga2 icinga2 pki ticket --cn ${agent}
So I get the agent ticket.
Then I requested the certificate.
agent> icinga2 pki request \
--host ${masterhost} --port ${masterport} \
--ticket ${agentticket} \
--key agent.key --cert agent.crt \
--trustedcert master.crt --ca /etc/icinga2/pki/ca.key
Now I think, the agent would communicate with the master. But it should not communicate with the master but with the satellite.
The zones configuration is:
/* Agent /etc/icinga2/zones.conf */
/* Define Monitoring Master Endpoint */
object Endpoint "satellite1.network" {
host = "ip"
port = "5665"
}
/* Define Monitoring Master Zone */
object Zone "satellite1.network" {
endpoints = [ "satellite1.network" ]
}
/* Define Monitoring Agent Endpoint (this host) */
object Endpoint NodeName {
host = NodeName
}
/* Define Monitoring Agent Zone */
object Zone ZoneName {
endpoints = [ NodeName ]
parent = "satellite1.network"
}
So, the agent doesn't know about the master, it communicated only to the satellite host. So - it happens what must happen on the satellite. It is ignoring the agent, because it doesn't know the certificate.
satellite> tail /var/log/icinga2/icinga2.log
...
... warning/ApiListener: Certificate validation failed for endpoint 'agent': code 18: self signed certificate
...
So, I did the things above not against the master, but against the satellite (replacing the masterhost with satellitehost. But that ends with the situation, that the satellite needs its own CA (which isn't was in documented in the manual). I could create one. But is this correct?
0 Answers