Very soon we’ll release Icinga version 2.8 which brings the CA-Proxy to life. With this blogpost I want to show you how to use this feature and why it’s great.
How does the CA-Proxy work?
Let’s say our setup consists of a master, a satellite and multiple clients. Typically you would have to generate a setup ticket on the master for every client you want to set up and have them connect directly to the master.
Thanks to the CA-Proxy, a client doesn’t need to send the certificate signing request directly to the master. It’s now possible to send the request to a satellite, which then sends it to the master. This means that clients no longer need to have a direct connection to the master.
Version 2.8 also allows sending certificate signing requests without a setup ticket. If that’s the case, the request can later be responded to via a CLI command.
By combining both features you can use the node wizard without specifying neither specifying a master nor a ticket.
The first thing you need to do is to run the node wizard on the client. Like mentioned before, the ticket option can be skipped here:
root@icinga-agent-1:~# icinga2 node wizard Welcome to the Icinga 2 Setup Wizard! We will guide you through all required configuration details. Please specify if this is a satellite/client setup ('n' installs a master setup) [Y/n]: y Starting the Client/Satellite setup routine... Please specify the common name (CN) [icinga-agent-1]: [ENTER] Please specify the parent endpoint(s) (master or satellite) where this node should connect to: Master/Satellite Common Name (CN from your master/satellite node): icinga-satellite-1 Do you want to establish a connection to the parent node from this node? [Y/n]: y Please specify the master/satellite connection information: Master/Satellite endpoint host (IP address or FQDN): 10.211.55.23 Master/Satellite endpoint port : [ENTER] Add more master/satellite endpoints? [y/N]: n Parent certificate information: Subject: CN = icinga-satellite-1 Issuer: CN = icinga-satellite-1 Valid From: Nov 8 11:37:56 2017 GMT Valid Until: Nov 4 11:37:56 2032 GMT Fingerprint: BA 1F 61 BE 26 8E CB 4E 8B 4D 20 3F 10 5B D5 0C C4 BF 91 00 Is this information correct? [y/N]: y Please specify the request ticket generated on your Icinga 2 master (optional). (Hint: # icinga2 pki ticket --cn 'icinga-agent-1'): [ENTER] No ticket was specified. Please approve the certificate signing request manually on the master (see 'icinga2 ca list' and 'icinga2 ca sign --help' for details). Please specify the API bind host/port (optional): Bind Host : [ENTER] Bind Port : [ENTER] Accept config from parent node? [y/N]: y Accept commands from parent node? [y/N]: y Reconfiguring Icinga... Done. Now restart your Icinga 2 daemon to finish the installation! root@icinga-agent-1:~# systemctl restart icinga2
Then we can list all requests with “icinga2 ca list”:
root@icinga-master-1:~# icinga2 ca list Fingerprint | Timestamp | Signed | Subject -------------------|--------------------------|--------|-------- 92a2e5bbb9b374f... | Nov 8 11:43:06 2017 GMT | | CN = icinga-agent-1
And sign them via “icinga2 ca sign <fingerprint>”:
root@icinga-master-1:~# icinga2 ca sign 92a2e5bbb9b374f... information/cli: Signed certificate for 'CN = icinga-agent-1'.
After a few minutes all certificates should be signed and synced all the way down to the clients. Neither the master nor the clients have to be restarted.