Icinga2 setup without connection to Master

My network consists of several locations connected using VPN tunnels. All machines within this network are monitored using icinga2. Adding new machines and generating the required certificates can be easily done using node wizard. This requires the master to be reachable from the new node.

To monitor my public services (like this blog) I’m using two independent cheap VPS which are not connected to my private network. This ensures that also issues like NAT or DNS misconfiguration are detected. Those issues may not be detected from my internal network reliably.

As my icinga2 master is not accessible from the internet, it is impossible to use node wizard for the certificate generation. Thus it is required to setup the node certificates manually to allow the communication from the master to the node.

There is several documentation available on the icinga wiki. Some discussions on the forum are incomplete or lead to bad practices during certificate and key generation on the master host.

Getting started

I assume that you have already installed icinga2 on your master/satellite as well as on your new node. In my case my new node is called satellite02.icinga.meis.space. First of all add your new zone/endpoint as always to /etc/icinga2/zones.conf:

object Endpoint "satellite02.icinga.meis.space" {
        host = "satellite02.icinga.meis.space"

object Zone "satellite02.icinga.meis.space" {
        endpoints = [ "satellite02.icinga.meis.space" ]
        parent = "master"

Next I add a new host object to /etc/icinga2/zones.d/master/hosts/satellite02.icinga.meis.space.conf:

object Host "satellite02.icinga.meis.space" {
  check_command = "hostalive"
  address = "satellite02.icinga.meis.space"
  vars.agent_endpoint = name

Configure node

While we can’t use node wizard to retrieve the certificates automatically, we can still use it to setup the local configuration. Do the following on your node:

root@satellite02:~# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We will guide you through all required configuration details.

Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: y

Starting the Agent/Satellite setup routine...

Please specify the common name (CN) [satellite02.icinga.meis.space]: 

Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): icinga.meis.space

Do you want to establish a connection to the parent node from this node? [Y/n]: n
Connection setup skipped. Please configure your parent node to
connect to this node by setting the 'host' attribute for the node Endpoint object.

Add more master/satellite endpoints? [y/N]: n

No connection to the parent node was specified.

Please copy the public CA certificate from your master/satellite
into '/var/lib/icinga2/certs//ca.crt' before starting Icinga 2.
Please specify the API bind host/port (optional):
Bind Host []: 
Bind Port []: 

Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y

Reconfiguring Icinga...
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.

Local zone name [satellite02.icinga.meis.space]: 
Parent zone name [master]: 

Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: n

Do you want to disable the inclusion of the conf.d directory [Y/n]: 
Disabling the inclusion of the conf.d directory...


Now restart your Icinga 2 daemon to finish the installation!

Do not restart icinga2 yet as it is still missing the certificates.

Providing the Certificates

Next we need to provide the CA Certificate as well as the node Certificate and Key to our node.

CA Certificate

Obtain your masters CA certificate from /var/lib/icinga2/certs/ca.crt and copy it to the same path on your node.

Certificate and Key

Next we need to generate the certificate and it’s corresponding key for your node. Running node wizard already created a certificate and a key. As we need a CSR, we need to generate a new pair of Certificate and CSR. Drop the existing files:

rm /var/lib/icinga2/certs/satellite02.icinga.meis.space.crt \

Now we need to generate a Key and CSR on your node. You could do this step on your master as well but it is highly discouraged to share the key with any other host than the node itself.

icinga2 pki new-cert --cn satellite02.icinga.meis.space \
--key /var/lib/icinga2/certs/satellite02.icinga.meis.space.key \
--csr /var/lib/icinga2/certs/satellite02.icinga.meis.space.csr

Next you need to copy your CSR to master which holds the CA Keys. Put it into /etc/icinga2/pki/satellite02.icinga.meis.space.csr.

After that you can sign the Certificate:

icinga2 pki sign-csr \
--cert /etc/icinga2/pki/satellite02.icinga.meis.space.crt \
--csr /etc/icinga2/pki/satellite02.icinga.meis.space.csr

Now copy the signed Certificate back to your node into /var/lib/icinga2/certs/satellite02.icinga.meis.space.crt. Make sure to set the owner to nagios. You may now delete the .csr file. Finally you can restart icinga2 on your node. The connection should now get established by the master.

Notify of
Inline Feedbacks
View all comments