As irony would have it, I just worked it out.
To answer my questions,
For each level down from the Master server, create a new CA and self sign
and request a sign from the master server.
ServerUUIDIcinga2SSL=$(/usr/sbin/icinga2 pki ticket --cn $(facter fqdn)
--salt $TicketSalt)
/usr/sbin/icinga2 pki new-ca
cp /var/lib/icinga2/ca/ca.key /etc/icinga2/pki/
/usr/sbin/icinga2 pki new-cert --cn $(facter fqdn) \--key
/etc/icinga2/pki/$(facter fqdn).key --cert /etc/icinga2/pki/$(facter
fqdn).crt --csr $(facter fqdn).csr
/usr/sbin/icinga2 pki save-cert --key /etc/icinga2/pki/$(facter fqdn).key
--cert /etc/icinga2/pki/$(facter fqdn).crt --trustedcert
/etc/icinga2/pki/trusted-master.crt --host prd-qua-za-mon.dc.domain.com
/usr/sbin/icinga2 pki request --host prd-qua-za-mon.dc.domain.com --port
5665 --ticket ${ServerUUIDIcinga2SSL} --key /etc/icinga2/pki/$(facter
fqdn).key --cert /etc/icinga2/pki/$(facter fqdn).crt \
--trustedcert /etc/icinga2/pki/trusted-master.crt --ca
/etc/icinga2/pki/ca.crt
Where $TicketSalt is the Master server TicketSalt.
your zone.conf for each level down will connect to each level up.
I still need to figure out how to get this working in DMZ's, but baby
steps.
H
On Fri, Jul 10, 2015 at 12:12 PM, Henti Smith <[email protected]> wrote:
> Hi all.
>
> I'm really running into a brick wall here so I'm hoping somebody can shed
> some light, because my brain is dead.
>
> We've been experimenting with puppet and I2 for a while internally.
>
> We have an internal icinga server with web an notifications running
> happily which was setup using the node wizard.
>
> * It has CA keys and certs,
> * It's configured as a master zone with itself as endpoint.
> * we have some remote clients connected as satellites pushing their
> configs to the internal I2 instance. this is working well.
> * We're busy building the same Master with multiple clients for each
> region we'll have a presence in
>
> What I'm trying to get right is multiple hierarchies in this
> configuration.
>
> I want the region which will have it's own I2 and clients to send
> all check results to the Internal I2 instance we have.
>
> Here is a crude diagram:
>
> Master I2 + Web
> ^
> |
> Secondary I2 + Web
> ^
> |
> Satellites
>
> This way each region will have their own dashboard, and we have a
> dashboard over all regions and can do notifications from a central place.
>
> All configs will be done on the clients using puppet, which will then feed
> up to the master and finally up to the internal I2 instance.
>
> So now, I can either get the secondary master and the clients talking, or
> the internal I2 and the secondary I2 instance talking, not all three.
>
> So some question I can't seem to get clear answers for is :
>
> 1. If I generate a CA on Master and Secondary, how do I connect them to
> not get authentication errors ?
> 2. If I use the master CA to sign the secondary, how do I get the clients
> signed to connect to the secondary ?
>
> I hope this all makes sense.
>
> Henti
>
>
> --
> --
>
--
--
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.icinga.org/mailman/listinfo/icinga-users
