/var/lib/icinga2/certs/ticket is not created by this module

[Bonoolu]

Hello,

thank you for maintaining this repository.
I had two issues while getting this module to work. I'm currently not at my workplace so i will recite these issues from memory. I will add all missing information next Monday.

1. I copy pasted the agent configuration from the README.md. It seems that the key value pair for ca_host is missing in this example config. The log showed that the icinga2 module failed because it tried to execute icinga2 pki save-cert while setting the --host flag without a value. it looked like this:
   /usr/sbin/icinga2 pki save-cert --host ---next-flag-here
   I've set the ca_host value which solved this problem. Aferwards the icinga2 config got pushed successfully and the key/crts are downloaded form the icinga server.
2. The module does not create the file /var/lib/icinga2/certs/ticket on the agent side (despite correctly downloading the client cert). This file seems to be mandatory. The resulting error in icinga2 was this:
   Error while reading JSON-RPC message for identity ‘hostname-of-master-here’: Error: End of file
   I solved this problem by executing these command on the agent client:

echo -n 'api-key-here' > /var/lib/icinga2/certs/ticket
chmod 600 /var/lib/icinga2/certs/ticket
chown nagios:nagios /var/lib/icinga2/certs/ticket

Config

I copy pasted the agent config in the README.md. I adjusted the zones and endpoints to match my manually configured clients, i've set the correct fingerprint and ticket_salt. I added the ca_host key-value pair as previously described.

Your Environment

My Environment are several freshly created debian11 lxd containers. I've set up this network of containers specifically to try out this icinga2 module.
I have one puppet server, one icinga server, and several icinga clients. One icinga client was configured manually with 'icinga2 node wizard', the other clients were configured via this module.
The manually configured client worked perfectly, the clients configured by this module had the above mentioned issues.
I diff'ed the icinga2 directories of my working manually configured client and the not working puppet-configured clients. These are the results of that diff:

• /etc/icinga2: all files were the same, only the local hostname was different
• /var/lib/icinga2: state file and client certs were different, ticket file was missing on the module configured client
• /usr/share/icinga2: all files were the same
• /usr/lib/icinga2: all files were the same

• Module version (puppet module list):
  newest version
• Puppet version (puppet -V):
  newest version for bullseye on packages.icinga.com
• Operating System and version:
  debian 11

I could reconstruct this environment from memory if you want, but first i will wait for feedback as it's still possible that this was just an user error by me, lol.

[lbetz]

Thx @Bonoolu for your report.

1. Correct, the parameter ca_host is missing.
2. The file isn't mandatory, the method works since six years. But you're right, the file is used. On the other hand to store this file is a security impact. It's still used during the certification request. However, because puppet works decoratively, it is not so easy to remove it when it is no longer needed.

What do you mean, the hostname is different?

Bye
Lennart

[Bonoolu]

What do you mean, the hostname is different?

Oh, i just meant the name of the agent is in the constants file, and that name obviously differs from client to client.
Here is my manifest file, no need to censor anything:

node default { 

  class { '::icinga2':
    confd     => false,
    features  => ['mainlog', 'debuglog', 'checker'],
  }
 
  class { '::icinga2::feature::api':
    accept_config   => true,
    accept_commands => true,
    ca_host         => "debian11",
    ticket_salt     => '2764b2d6a8968c89aaad3cea56b2123038727d84',
    fingerprint     => '0C:74:E6:A2:2F:C7:BA:28:56:EF:CD:D5:FF:8E:EC:C8:A1:17:E2:8D:17:91:83:25:14:B9:F7:9A:BB:63:D0:27',
    endpoints       => {
      'NodeName'              => {},
      'debian11' => {
        'host' => 'debian11',
      },
    },
    zones           => {
      'master'      => {
        'endpoints' => ['debian11'],
      },
      'ZoneName' => {
        'endpoints' => ['NodeName'],
        'parent'    => 'master',
      }
    }
  }

  icinga2::object::zone { 'global-templates':
    global => true,
  }

  icinga2::object::zone { 'director-global':
    global => true,
  }
}

Do I have any misconfiguration? This module works since six years, so it's hard for me to believe that this is a bug in the module.

[Bonoolu]

I just saw that i forgot to mention that this error is critical:
Error while reading JSON-RPC message for identity ‘hostname-of-master-here’: Error: End of file
icinga2 will not work at all while i have this error

[lbetz]

What kind of Icinga version you use?

[Bonoolu]

I use icinga2 in version r2.13.7-1 for the agents and masters
puppet on the agent side is version 6.28.0 (i can't upgrade to a bigger version)
puppetserver is version 7.24.0

[lbetz]

Hm. I can't see any mistakes in your code. But I learned several years ago, don't use server and agent in so different versions like you do. I've to test it. This will take some days ...

[Bonoolu]

Nevermind, i confused ticket_id and ticket_salt. Sorry, my bad!