Critical hotfix releases: Icinga 2.14.1 and 2.13.9

by | Dec 21, 2023

Imagine you’ve installed Icinga 2.0.0 on 2014-06-06, the day it was released. You’ve tested its features, over the time we’ve added more of them and by now your test cluster went in production. An Icinga cluster operates on TLS which involves a root CA, typically generated by Icinga itself. Until v2.2.0 a new root CA was valid for 3650 days by default. And 2014-06-06 + 3650 days = 2024-06-03. So in my example you’d get such log messages across the whole cluster on that day:

[2024-06-03 23:45:16 +0000] warning/ApiListener: Certificate validation failed for endpoint 'example.com': code 10: certificate has expired

I.e. no Icinga node can provide a still valid certificate chain as the root CA has expired. This makes authenticated connections between nodes impossible. In other words, the cluster got disintegrated by the time.

icinga logo with locks in front of a calendar

In contrast, both v2.14.1 and v2.13.9 automatically renew the CA on the master (which is used for icinga2 pki ticket and/or icinga2 ca sign). Satellites also need this update to propagate the renewed certificate to all agents.

All Changes

v2.14.1

Security

  • Automatically renew own root CA and distribute it to all nodes. #9933
  • Update OpenSSL shipped on Windows to v3.0.12. #9946
  • Disable TLS renegotiation (handshake on existing connection). #9946

Bugfixes

  • Icinga DB feature: fix crash due to missing NULL pointer check. #9946
  • Icinga DB feature: fix data written into Redis crashing the Go daemon. #9946
  • GelfWriter: fix deadlock on stop/reload caused by busy queue. #9947
  • Don’t lose notifications due to too long output, truncate it. #9947

Enhancements

  • Discard duplicate problem notifications due to state filtering. #9932
  • Speed up API filters targeting specific hosts/services to O(1). #9944
  • POST /v1/console/*: return HTTP 503 while Icinga is reloading. #9947
  • Update Boost shipped on Windows to v1.83. #9946
  • Documentation: several fixes and improvements. #9921

v2.13.9

Security

  • Automatically renew own root CA and distribute it to all nodes. #9934
  • Update OpenSSL shipped on Windows to v3.0.12. #9945
  • Disable TLS renegotiation (handshake on existing connection). #9945

Bugfixes

  • Icinga DB feature: fix crash due to missing NULL pointer check. #9945
  • Icinga DB feature: fix data written into Redis crashing the Go daemon. #9945

Updates

  • Update Boost shipped on Windows to v1.83. #9945

You May Also Like…

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.