Dear Icinga Masters,

we're about to deploy a simple satellite for our Icinga 2 (2.4.10) setup. The config should be okay, the master is connecting to the satellite, but we're getting the following error message (on the satellite):

[2016-07-07 12:25:23 +0000] information/ApiListener: New client connection for identity 'master.example.com' (client certificate not signed by CA)

The API configuration on the master looks like this:

/**
 * The API listener is used for distributed monitoring setups.
 */

object ApiListener "api" {
  cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
  key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
  ca_path = SysconfDir + "/icinga2/pki/ca.crt"

  ticket_salt = TicketSalt
}

We're using an external CA for the communication. The CA is splitted into Root CA, Intermediate CA, Issuing CA. All three PEM files are contained within /etc/icinga2/pki/ca.crt (on the master and the satellite).

Any idea why this happens? The certificates are good, the only thing that comes to my mind is that the certs are also used for the web frontend, so these are SSL server certs with corresponding usage remarks within the certificate. My code reading ability sucks today, so I can't tell if this is really checked within the code or if TlsStream just checks for a valid cert.

Any ideas how to debug this?

Many thanks,
Stephan


_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Reply via email to