Imagine you’ve installed Icinga 2.0.0 on 2014-06-06, the day it was released. You’ve tested its features, over the time we’ve added more of them and by now your test cluster went in production. An Icinga cluster operates on TLS which involves a root CA, typically generated by Icinga itself. Until v2.2.0 a new root CA was valid for 3650 days by default. And 2014-06-06 + 3650 days = 2024-06-03. So in my example you’d get such log messages across the whole cluster on that day:
[2024-06-03 23:45:16 +0000] warning/ApiListener: Certificate validation failed for endpoint 'example.com': code 10: certificate has expired
I.e. no Icinga node can provide a still valid certificate chain as the root CA has expired. This makes authenticated connections between nodes impossible. In other words, the cluster got disintegrated by the time.
In contrast, both v2.14.1 and v2.13.9 automatically renew the CA on the master (which is used for icinga2 pki ticket
and/or icinga2 ca sign
). Satellites also need this update to propagate the renewed certificate to all agents.
All Changes
v2.14.1
Security
- Automatically renew own root CA and distribute it to all nodes. #9933
- Update OpenSSL shipped on Windows to v3.0.12. #9946
- Disable TLS renegotiation (handshake on existing connection). #9946
Bugfixes
- Icinga DB feature: fix crash due to missing NULL pointer check. #9946
- Icinga DB feature: fix data written into Redis crashing the Go daemon. #9946
- GelfWriter: fix deadlock on stop/reload caused by busy queue. #9947
- Don’t lose notifications due to too long output, truncate it. #9947
Enhancements
- Discard duplicate problem notifications due to state filtering. #9932
- Speed up API filters targeting specific hosts/services to O(1). #9944
- POST /v1/console/*: return HTTP 503 while Icinga is reloading. #9947
- Update Boost shipped on Windows to v1.83. #9946
- Documentation: several fixes and improvements. #9921
v2.13.9
Security
- Automatically renew own root CA and distribute it to all nodes. #9934
- Update OpenSSL shipped on Windows to v3.0.12. #9945
- Disable TLS renegotiation (handshake on existing connection). #9945
Bugfixes
- Icinga DB feature: fix crash due to missing NULL pointer check. #9945
- Icinga DB feature: fix data written into Redis crashing the Go daemon. #9945
Updates
- Update Boost shipped on Windows to v1.83. #9945