Users have reported problems with SSL certificates inside a distributed monitoring setup when they
- updated their Icinga 2 package to 2.7.0 on Windows or
- upgraded their distribution which included an update to OpenSSL 1.1.0.
The Windows package also uses OpenSSL 1.1.0 in v2.7.0. This seems to only affect certificates created in 2015 or older.
While updating the documentation and Icinga Template Library definitions, we’ve also tackled a more severe problem with OpenSSL on SLES11 SP3 with this bugfix release v2.3.6.
SLES11 uses the old 0.9.8j release causing trouble when verifying the SSL certificates generated from ‘node wizard’ commands (see #9549 for a detailed analysis). The problem became even more weird when debugging it, so we decided to go for the only safe solution – link against openssl1 from the Security Module repository.
The package update for SLES11 requires openssl1, please ensure enabling the repository beforehand. You can use this small check script “check_icinga2_openssl” (shown in the screenshot).
Other than that, we’ve also fixed some bugs found inside the Windows plugins and NSClient++ integration. Whilst backporting a stability fix for the cluster from our 2.4 development tree there’s also more verbose logging for unauthenticated clients and cluster troubleshooting available.
Package updates should be around soon, meanwhile keep cool and check the Changelog below!
What’s New in Version 2.3.6
- Require openssl1 on sles11sp3 from Security Module repository
- Bug in SLES 11’s OpenSSL version 0.9.8j preventing verification of generated certificates.
- Re-create these certificates with 2.3.6 linking against openssl1 (cli command or CSR auto-signing).
- ITL: Add ldap, ntp_peer, mongodb and elasticsearch CheckCommand definitions
- Feature 6714: add pagerduty notification documentation
- Feature 9172: Add “ldap” CheckCommand for “check_ldap” plugin
- Feature 9191: Add “mongodb” CheckCommand definition
- Feature 9415: Add elasticsearch checkcommand to itl
- Feature 9416: snmpv3 CheckCommand: Add possibility to set securityLevel
- Feature 9451: Merge documentation fixes from GitHub
- Feature 9523: Add ntp_peer CheckCommand
- Feature 9562: Add new options for ntp_time CheckCommand
- Feature 9578: new options for smtp CheckCommand
- Bug 9205: port empty when using icinga2 node wizard
- Bug 9253: Incorrect variable name in the ITL
- Bug 9303: Missing ‘snmp_is_cisco’ in Manubulon snmp-memory command definition
- Bug 9436: Functions can’t be specified as command arguments
- Bug 9450: node setup: indent accept_config and accept_commands
- Bug 9452: Wrong file reference in README.md
- Bug 9456: Windows client w/ command_endpoint broken with $nscp_path$ and NscpPath detection
- Bug 9463: Incorrect check_ping.exe parameter in the ITL
- Bug 9476: Documentation for checks in an HA zone is wrong
- Bug 9481: Fix stability issues in the TlsStream/Stream classes
- Bug 9489: Add log message for discarded cluster events (e.g. from unauthenticated clients)
- Bug 9490: Missing openssl verify in cluster troubleshooting docs
- Bug 9513: itl/plugins-contrib.d/*.conf should point to PluginContribDir
- Bug 9522: wrong default port documentated for nrpe
- Bug 9549: Generated certificates cannot be verified w/ openssl 0.9.8j on SLES 11
- Bug 9558: mysql-devel is not available in sles11sp3
- Bug 9563: Update getting started for Debian Jessie