Icinga2: Add CLI functionality to delete certificate requests
I'm using icinga 2.8.1 and puppet-icinga2 module to distribute Icinga 2 configuration.
149cd0ff2ee1c504a5a67433e5b094ea4c6bb925673ab9ef1498ae8e06c93f97 | Jan 29 11:35:06 2018 GMT | * | CN = icinga-dc17.example.net
6a66d6dc968fda7c9c4f18acea143889d78304fdc81a8dc0d65343112dc02cd1 | Jan 30 15:03:15 2018 GMT | | CN = icinga-dc17.example.net
72aa9890b9f5d3d10f67f712e92662d5ffec37bf4735d10fa23b808a011ccb85 | Dec 3 12:29:30 2016 GMT | * | CN = icinga-dc17.example.net
dfbf1ed8f41e608f580cc542393a7204734765e904e4e56806c50b32b4a28520 | Jan 30 14:54:34 2018 GMT | * | CN = icinga-dc17.example.net
after I've signed certificate for icinga-dc17.example.net using:
icinga2 ca sign 6a66d6dc968fda7c9c4f18acea143889d78304fdc81a8dc1d65343112dc02cd1
information/cli: Signed certificate for 'CN = icinga-dc17.example.net'.
yet another certificate is generated.
Expected Behavior
There should be just one record for each host. I'd expect some command for cleaning certificate like icinga2 ca remove hostname.
Current Behavior
Cluster check is claiming that the node is not connected:
Icinga 2 Cluster Problem: 1 Endpoints (icinga-dc17.example.net) not connected.
same from client side:
[2018-01-31 17:30:11 +0000] warning/ApiListener: Certificate validation failed for endpoint 'icinga-dc17.example.net': code 21: unable to verify the first certificate
Context:
(0) Handling new API client connection
Possible Solution
Maybe clean reinstall of icinga2 package might help. Haven't tried it yet.
Steps to Reproduce (for bugs)
The issue might be connected to upgrade from previous icinga version.
Your Environment
- Version used
2.8.1-1 - Operating System and version: Debian (mostly 9, some 8 instances, packages from Icinga2 repo)
- Enabled features sattelite:
api checker mainlog - Enabled features master:
api checker command compatlog ido-pgsql influxdb mainlog notification perfdata statusdata - Cluster setup: 2 masters, 2 sattelites, and many clients.
deric
All 7 comments
Currently the only way is to manually delete the request from the disk. Being able to delete requests from the cli sounds like a nice addition
Crunsher
on 5 Feb 2018
@Crunsher Thanks! On a satellite or a master node when I simply:
service icinga2 stop
rm -rf /var/lib/icinga2/certificate-requests/
service icinga2 start
the certificates requests are always recovered. So, simple delete doesn't seem to be enough. I'm trying to configure Icinga2 to use Puppet's certificates, so it's a bit confusing when CSR are always reappearing.
deric
on 25 Feb 2018
/var/lib/icinga2/certificate-requests/ only stores requests that are forwarded, you'll want to to look at /var/lib/icinga2/certs/. The structure is a bit confusingly named for legacy reasons :woman_shrugging:
Crunsher
on 26 Feb 2018
Should be fairly simple to implement and is a great starter for a beginner's contribution.
- Look at the current ca sub commands and clone the structure
- Implement "ca delete" which takes one parameter value similar to "ca sign"
- Check whether the file exists from building up its path
- Delete it
dnsmichi
on 27 Apr 2018
I'm trying to implement this, but as deric said, simply deleting the file doesn't work. Also, there is nothing inside /var/lib/icinga2/certs/ pertaining to the CSR. Based on the logs it looks like the client keeps sending the CSR to the master. Is there any way to go about stopping the client from doing this aside from either reconfiguring/uninstalling it manually?
Is it a desirable behavior for the client to only send the CSR once, if even possible?
ajaffie
on 28 Jul 2018
Clients will only send a CSR if their certificate is not valid or requires an update. You need to find a way to persist such deletion and ignore future requests.
dnsmichi
on 2 Aug 2018
Merged the linked PR.
dnsmichi
on 7 Jun 2019
Related issues
miso231
路
4Comments
lamaral
路
4Comments
peteeckel
路
4Comments
Duffkess
路
6Comments
seventh-chord
路
5Comments