REST-Api daemon no valid certificate was found for usage

[t3easy]

After installing Icinga for windows without the Self Service Api, the REST-Api daemon can't find the certificate under C:\ProgramData\icinga2\var\lib\icinga2\certs\fqdn.crt
If I register the Api Daemon with

Use-Icinga;
Unregister-IcingaBackgroundDaemon 'Start-IcingaWindowsRESTApi'
Register-IcingaBackgroundDaemon -Command 'Start-IcingaWindowsRESTApi' -Arguments @{ '-CertFile' = 'C:\ProgramData\icinga2\var\lib\icinga2\certs\fqdn.crt' };
Add-IcingaRESTApiCommand -Command 'Invoke-IcingaCheck*' -Endpoint 'apichecks';
Restart-IcingaWindowsService;
Enable-IcingaFrameworkApiChecks;

The Api Daemon starts.

Icinga for Windows log

Failed to start REST-Api daemon, as no valid provided SSL and Icinga 2 Agent certificate was found

While starting the Icinga for Windows REST-Api daemon, no valid certificate was found for usage. You can either share a valid certificate by defining the full path with -CertFile to a .crt, .cert or .pfx file, by using -CertThumbprint to lookup a certificate inside the Microsoft cert store and by default the Icinga 2 Agent certificates. Please note that only Icinga 2 Agent version 2.8.0 or later are supported

Object details:

No additional object details provided.

Expected Behavior

Certificate is found automatically

Current Behavior

No valid certificate found
See Icinga for Windows log

Possible Solution

Register daemon with -CertFile

Steps to Reproduce (for bugs)

Install latest Ifw with https://icinga.com/docs/icinga-for-windows/latest/doc/110-Installation/01-Getting-Started/#install-icinga-for-windows
Configure it manually without Self service
Sign request with icinga2 ca list && icinga2 ca sign xyz
Then restart icinga2 and icingapowershell service

Context

The windows hosts are already in Director by the vSphere DB plugin so it can't register.

Your Environment

• PowerShell Version used ($PSVersionTable.PSVersion):
  5.1.17763.2803

• Operating System and version (Get-IcingaWindowsInformation Win32_OperatingSystem | Select-Object Version, BuildNumber, Caption):
  10.0.17763 17763 Microsoft Windows Server 2019 Datacenter

[t3easy]

The same, if I use the Self-service Api.
Seems the part of the doc is wrong

By default, it will start listening on Port 5668 on localhost and use the Icinga Agents certificates for TLS encrypted communication. As long as the Windows firewall is not allowing access to this port, external communication is not possible.

https://icinga.com/docs/icinga-for-windows/latest/doc/110-Installation/30-API-Check-Forwarder/#register-background-daemon

[t3easy]

If i run Install-IcingaForWindowsCertificate I get

[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Error]: Unable to install Icinga for Windows certificate, as with specified arguments and auto-lookup for Icinga Agent certificate, no certificate could be created

So the auto-lookup is not working.

[LordHepipud]

Thank you for the issue. Have you tried with the latest master?
I made a fix to that, because this error most likely occurs of the hostname and the certificate are not matching during auto lookup

[t3easy]

Thank you for the issue. Have you tried with the latest master? I made a fix to that, because this error most likely occurs of the hostname and the certificate are not matching during auto lookup

@LordHepipud Thanks for your reply!
I didn't tried master, yet. Could you point me to the patch?

[LordHepipud]

It should be this one: #484

[t3easy]

I testet the ReadConstants code and it returns the right fqdn so certificate could be found.
As a workaround to not deploy development state, I added the CertFile argument

Register-IcingaBackgroundDaemon -Command 'Start-IcingaWindowsRESTApi' -Arguments @{ '-CertFile' = (Join-Path -Path $Env:ProgramData -ChildPath "icinga2\var\lib\icinga2\certs\$(Get-IcingaHostname -AutoUseFQDN $true -LowerCase $true).crt")}

But with the default user permissions of Network Service, the Invoke-IcingaCheckUpdates returned UNKNOWN (https://icinga.com/docs/icinga-for-windows/latest/doc/knowledgebase/IWKB000006/)

So I enabled JEA with the default managed user icinga and

Install-IcingaForWindowsCertificate -CertFile (Join-Path -Path $Env:ProgramData -ChildPath "icinga2\var\lib\icinga2\certs\$(Get-IcingaHostname -AutoUseFQDN $true -LowerCase $true).crt")

To load the agent cert but then the REST Api calls failed with
https://icinga.com/docs/icinga-for-windows/latest/doc/100-General/20-Eventlog/#event-id-1500
even if I import the Icinga CA Cert into trusted publishers.

Any suggestions?

I know I can issue an certificate at our enterprise CA and install it with

Install-IcingaForWindowsCertificate -CertThumbprint "xxxx"

But that would lead to some more preparation...

[LordHepipud]

Could you please try this this v1.9.0? We released the version this week as stable. Hopefully the issue is resolved by this then.

[t3easy]

Could you please try this this v1.9.0? We released the version this week as stable. Hopefully the issue is resolved by this then.

I'll try it next week, sorry had no time...

[t3easy]

Could you please try this this v1.9.0? We released the version this week as stable. Hopefully the issue is resolved by this then.

Hi @LordHepipud
I just installed IfW 1.9.0 on a new server and the certificate was found and installed successfully.

[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate" is accessible and writable by the Icinga Service User "icinga"
[Notice]: Successfully installed Icinga for Windows certificate at "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate\icingaforwindows.pfx"

But we still get IfW::Framework ID 1553 in the Icinga for Windows log if we use JEA with the managed user "icinga".

This is the install script I used:

[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';
$ProgressPreference                         = 'SilentlyContinue';
[string]$ScriptFile                         = 'C:\Users\Public\IcingaForWindows.ps1';

Invoke-WebRequest `
    -UseBasicParsing `
    -Uri 'https://packages.icinga.com/IcingaForWindows/IcingaForWindows.ps1' `
    -OutFile $ScriptFile;

& $ScriptFile `
    -ModuleDirectory 'C:\Program Files\WindowsPowerShell\Modules\' `
    -InstallCommand '{
        "IfW-DirectorUrl":{"Values":["https://monitoring.domain.tld/director/"]},
        "IfW-DirectorSelfServiceKey":{"Values":["xxxx"]},
        "IfW-InstallService":{"Selection":"0"},
        "IfW-ParentAddress":{"Values":{"monitoring.domain.tld":["10.1.2.3"]}},
        "IfW-GlobalZones":{"Selection":"3"},
        "IfW-DirectorRegisterHost":{"Selection":"0"},
        "IfW-InstallPlugins":{"Selection":"0"},
        "IfW-InstallJEAProfile":{"Selection":"1"}
    }';

[LordHepipud]

I honestly have no Idea at the moment. I just tested this script on a local machine with the same configuration (just updated some values to match my environment) and everything just worked fine.

Is the monitoring of the host in general working properly?

I assume

Get-IcingaAgentHostCertificate

is returning the correct certicicate?

Could you please share your Icinga Director Self-Service API Config?