Icinga2: Connection-less mode: Restart of Agent is required after certificate is signed

Created on 25 Nov 2019 · 2Comments · Source: Icinga/icinga2

Describe the bug

The Agent has no access to his parent node, so we need to use Connectil-less mode.

If we use the "icinga ca sign" feature the Agent needs to be restarted after the certificate is signed on the master.

To Reproduce

Install Icinga2 on Windows or Linux and configure it with the wizard for connectionless mode (Agent has no connection to a master or satellite). Wait until the Master or Satellite connects to the Agent and the csr is shown in "icinga2 ca list". Sign the certificate. The Agent will not be able to connect until the Agent is restarted.

Wizard parameters used on Windows:
Start-IcingaAgentInstallWizard -EmptyCA 1 -Hostname $hostname -CAPort 5665 -UseDirectorSelfService 0 -AgentVersion $icinga2AgentVersion -UpdateAgent $true -PackageSource $PSScriptRoot -CAEndpoint $null -AcceptConnections 0 -CAFile $PSScriptRoot\ca.crt -ServicePass $ServicePassword -ServiceUser "USER" -AddFirewallRule $true -RunInstaller -reconfigure -AddGlobalTemplates $true -GlobalZones @() -AddDirectorGlobal $true -ParentZone $ParentZone -EndpointConnections $ParentEndpoints -AllowVersionChanges $true -EmptyTicket 1 -InstallFrameworkPlugins 0 -InstallFrameworkService 0 -Endpoints $ParentEndpoints

Expected behavior

After the cert is signed the Agent should be restarted automatically to avoid manual restart from the agent, if multiple Teams are involved in the process.

Your Environment

Version used (icinga2 --version): 2.11.2
Operating System and version: Windows Server 2012,2016

Additional context

Some more information can be found at the Icinga2 Community Forum:
Icinga2 Community - Windows Agent
Icinga2 Community - Linux Agent

Parameters used to setup the agent on Windows:

Logs on the agent after the certificate is signed:
[2019-10-21 14:25:37 +0200] information/JsonRpcConnection: Received certificate update message for CN 'testvm.dom.local' [2019-10-21 14:25:37 +0200] information/JsonRpcConnection: Updating CA certificate in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'. [2019-10-21 14:25:37 +0200] information/JsonRpcConnection: Updating client certificate for CN 'testvm.dom.local' in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//testvm.dom.local.crt'. [2019-10-21 14:25:37 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'testvm.dom.local' at runtime and reconnecting the endpoints. [2019-10-21 14:25:37 +0200] warning/JsonRpcConnection: API client disconnected for identity 'sat03.dom.local' [2019-10-21 14:25:38 +0200] warning/ApiListener: Removing API client for endpoint 'sat03.dom.local'. 0 API clients left. [2019-10-21 14:25:47 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Sending config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Finished sending config file updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Finished sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/ApiListener: Finished syncing endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:47 +0200] information/JsonRpcConnection: Received certificate update message for CN 'testvm.dom.local' [2019-10-21 14:25:47 +0200] information/JsonRpcConnection: Updating CA certificate in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'. [2019-10-21 14:25:47 +0200] information/JsonRpcConnection: Updating client certificate for CN 'testvm.dom.local' in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//testvm.dom.local.crt'. [2019-10-21 14:25:47 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'testvm.dom.local' at runtime and reconnecting the endpoints. [2019-10-21 14:25:47 +0200] warning/JsonRpcConnection: API client disconnected for identity 'sat03.dom.local' [2019-10-21 14:25:47 +0200] warning/ApiListener: Removing API client for endpoint 'sat03.dom.local'. 0 API clients left. [2019-10-21 14:25:57 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Sending config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Finished sending config file updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Finished sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/ApiListener: Finished syncing endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:25:57 +0200] information/JsonRpcConnection: Received certificate update message for CN 'testvm.dom.local' [2019-10-21 14:25:57 +0200] information/JsonRpcConnection: Updating CA certificate in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'. [2019-10-21 14:25:57 +0200] information/JsonRpcConnection: Updating client certificate for CN 'testvm.dom.local' in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//testvm.dom.local.crt'. [2019-10-21 14:25:57 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'testvm.dom.local' at runtime and reconnecting the endpoints. [2019-10-21 14:25:57 +0200] warning/JsonRpcConnection: API client disconnected for identity 'sat03.dom.local' [2019-10-21 14:25:57 +0200] warning/ApiListener: Removing API client for endpoint 'sat03.dom.local'. 0 API clients left. [2019-10-21 14:26:07 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Sending config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Finished sending config file updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Finished sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/ApiListener: Finished syncing endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:07 +0200] information/JsonRpcConnection: Received certificate update message for CN 'testvm.dom.local' [2019-10-21 14:26:07 +0200] information/JsonRpcConnection: Updating CA certificate in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'. [2019-10-21 14:26:07 +0200] information/JsonRpcConnection: Updating client certi14:27 21.10.2019ficate for CN 'testvm.dom.local' in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//testvm.dom.local.crt'. [2019-10-21 14:26:07 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'testvm.dom.local' at runtime and reconnecting the endpoints. [2019-10-21 14:26:07 +0200] warning/JsonRpcConnection: API client disconnected for identity 'sat03.dom.local' [2019-10-21 14:26:07 +0200] warning/ApiListener: Removing API client for endpoint 'sat03.dom.local'. 0 API clients left. [2019-10-21 14:26:16 +0200] information/ConfigObject: Dumping program state to file 'C:\ProgramData\icinga2\var\lib\icinga2/icinga2.state' [2019-10-21 14:26:17 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Sending config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Finished sending config file updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Finished sending replay log for endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/ApiListener: Finished syncing endpoint 'sat03.dom.local' in zone 'sat03.dom.local'. [2019-10-21 14:26:17 +0200] information/JsonRpcConnection: Received certificate update message for CN 'testvm.dom.local' [2019-10-21 14:26:17 +0200] information/JsonRpcConnection: Updating CA certificate in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//ca.crt'. [2019-10-21 14:26:17 +0200] information/JsonRpcConnection: Updating client certificate for CN 'testvm.dom.local' in 'C:\ProgramData\icinga2\var\lib\icinga2/certs//testvm.dom.local.crt'. [2019-10-21 14:26:17 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'testvm.dom.local' at runtime and reconnecting the endpoints. [2019-10-21 14:26:17 +0200] warning/JsonRpcConnection: API client disconnected for identity 'sat03.dom.local' [2019-10-21 14:26:17 +0200] warning/ApiListener: Removing API client for endpoint 'sat03.dom.local'. 0 API clients left.

areapi bug queuimportant

Source

NeverUsedID

All 2 comments

@mcktr Thanks for looking into this and actually fixing it. It definitely is something new with 2.11 since this worked before.

dnsmichi on 26 Nov 2019

❤1

@lippserd I consider this important for 2.12, since it breaks the CA proxy / CSR signing functionality. Might affect customers as well @widhalmt

dnsmichi on 26 Nov 2019

🚀1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Icinga 2.11.0 RC1/Icingaweb 2.6.3: Icinga Web 2 does not properly detect Icinga 2

peteeckel · 4Comments

Icinga2 API: deleting host/service with cascade=1 does not delete notification configs

marek130 · 6Comments

Set the notification mode times.begin is not 0, the first notification has a delay

silenceJI · 5Comments

Servicegroup table for livestatus is not refreshed when service is removed

mickenordin · 5Comments

WORKAROUND - mail-service-notifications.sh script failes to send notification - errors out with "Requirement parameters are missing."

ak2766 · 7Comments