Dear Icinga Masters,
we're about to deploy a simple satellite for our Icinga 2 (2.4.10)
setup. The config should be okay, the master is connecting to the
satellite, but we're getting the following error message (on the
satellite):
[2016-07-07 12:25:23 +0000] information/ApiListener: New client
connection for identity 'master.example.com' (client certificate not
signed by CA)
The API configuration on the master looks like this:
/**
* The API listener is used for distributed monitoring setups.
*/
object ApiListener "api" {
cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
ca_path = SysconfDir + "/icinga2/pki/ca.crt"
ticket_salt = TicketSalt
}
We're using an external CA for the communication. The CA is splitted
into Root CA, Intermediate CA, Issuing CA. All three PEM files are
contained within /etc/icinga2/pki/ca.crt (on the master and the
satellite).
Any idea why this happens? The certificates are good, the only thing
that comes to my mind is that the certs are also used for the web
frontend, so these are SSL server certs with corresponding usage remarks
within the certificate. My code reading ability sucks today, so I can't
tell if this is really checked within the code or if TlsStream just
checks for a valid cert.
Any ideas how to debug this?
Many thanks,
Stephan
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
