Database | Housekeeping | Check the database size and growth and analyse metrics to examine trends.
Database | DB IDO | [ido](10-icinga-template-library.md#itl-icinga-ido) (more below)
Webserver | Apache2, Nginx, etc. | [http](10-icinga-template-library.md#plugin-check-command-http), [apache-status](10-icinga-template-library.md#plugin-contrib-command-apache-status), [nginx_status](10-icinga-template-library.md#plugin-contrib-command-nginx_status)
-Webserver | Certificates | [http](10-icinga-template-library.md#plugin-check-command-http)
+Webserver | Certificates | [http](10-icinga-template-library.md#plugin-check-command-http), [Icinga certificate monitoring](https://icinga.com/products/icinga-certificate-monitoring/)
Webserver | Authorization | [http](10-icinga-template-library.md#plugin-check-command-http)
Notifications | Mail (queue) | [smtp](10-icinga-template-library.md#plugin-check-command-smtp), [mailq](10-icinga-template-library.md#plugin-check-command-mailq)
Notifications | SMS (GSM modem) | [check_sms3_status](https://exchange.icinga.com/netways/check_sms3status)
More specific database queries can be found in the [DB IDO](14-features.md#db-ido) chapter.
Distributed setups should include specific [health checks](06-distributed-monitoring.md#distributed-monitoring-health-checks).
-You might also want to add additional checks for SSL certificate expiration.
+
+You might also want to add additional checks for TLS certificate expiration.
+This can be done using the [Icinga certificate monitoring](https://icinga.com/products/icinga-certificate-monitoring/) module.
+
## Advanced Configuration Hints <a id="advanced-configuration-hints"></a>
import requests, json
# Replace 'localhost' with your FQDN and certificate CN
-# for SSL verification
+# for TLS verification
request_url = "https://localhost:5665/v1/objects/services"
headers = {
'Accept': 'application/json',
require 'rest_client'
# Replace 'localhost' with your FQDN and certificate CN
-# for SSL verification
+# for TLS verification
request_url = "https://localhost:5665/v1/objects/services"
headers = {
"Accept" => "application/json",
#!/usr/bin/env php
<?php
# Replace 'localhost' with your FQDN and certificate CN
-# for SSL verification
+# for TLS verification
$request_url = "https://localhost:5665/v1/objects/services";
$username = "root";
$password = "icinga";
use Data::Dumper;
# Replace 'localhost' with your FQDN and certificate CN
-# for SSL verification
+# for TLS verification
my $request_host = "https://localhost:5665";
my $userpass = "root:icinga";
}
```
-This is a typical pattern for checking individual disks, NICs, SSL certificates etc associated
+This is a typical pattern for checking individual disks, NICs, TLS certificates etc associated
with a host. What would be useful is to have the data points tagged with the specific instance
for that check. This would allow you to query time series data for a check on a host and for a
specific instance e.g. /dev/sda. To do this quite simply add the instance to the service variables:
Not valid after: Jul 8 07:39:55 2034 GMT
```
-
-### Certificate Problems with OpenSSL 1.1.0 <a id="troubleshooting-certificate-openssl-1-1-0"></a>
-
-Users have reported problems with SSL certificates inside a distributed monitoring setup when they
-
-* updated their Icinga 2 package to 2.7.0 on Windows or
-* upgraded their distribution which included an update to OpenSSL 1.1.0.
-
-Example during startup on a Windows client:
-
-```
-critical/SSL: Error loading and verifying locations in ca key file 'C:\ProgramData\icinga2\etc/icinga2/pki/ca.crt': 219029726, "error:0D0E20DE:asn1 encoding routines:c2i_ibuf:illegal zero content"
-critical/config: Error: Cannot make SSL context for cert path: 'C:\ProgramData\icinga2\etc/icinga2/pki/client.crt' key path: 'C:\ProgramData\icinga2\etc/icinga2/pki/client.key' ca path: 'C:\ProgramData\icinga2\etc/icinga2/pki/ca.crt'.
-```
-
-A technical analysis and solution for re-creating the public CA certificate is
-available in [this advisory](https://icinga.com/2017/08/30/advisory-for-ssl-problems-with-leading-zeros-on-openssl-1-1-0/).
-
-
## Cluster and Clients Troubleshooting <a id="troubleshooting-cluster"></a>
This applies to any Icinga 2 node in a [distributed monitoring setup](06-distributed-monitoring.md#distributed-monitoring-scenarios).
# nmap icinga2-agent1.localdomain
```
-### Cluster Troubleshooting SSL Errors <a id="troubleshooting-cluster-ssl-errors"></a>
+### Cluster Troubleshooting TLS Errors <a id="troubleshooting-cluster-tls-errors"></a>
-If the cluster communication fails with SSL error messages, make sure to check
+If the cluster communication fails with TLS/SSL error messages, make sure to check
the following
-* File permissions on the SSL certificate files
+* File permissions on the TLS certificate files
* Does the used CA match for all cluster endpoints?
* Verify the `Issuer` being your trusted CA
* Verify the `Subject` containing your endpoint's common name (CN)
#### Cluster Troubleshooting Unauthenticated Clients <a id="troubleshooting-cluster-unauthenticated-clients"></a>
-Unauthenticated nodes are able to connect. This is required for client setups.
+Unauthenticated nodes are able to connect. This is required for agent/satellite setups.
Master:
[2015-07-13 18:29:25 +0200] information/ApiListener: New client connection for identity 'icinga2-agent1.localdomain' (unauthenticated)
```
-Client as command execution bridge:
+Agent as command execution bridge:
```
[2015-07-13 18:29:26 +1000] notice/ClusterEvents: Discarding 'execute command' message from 'icinga2-master1.localdomain': Invalid endpoint origin (client not allowed).
```
-If these messages do not go away, make sure to [verify the master and client certificates](15-troubleshooting.md#troubleshooting-certificate-verification).
+If these messages do not go away, make sure to [verify the master and agent certificates](15-troubleshooting.md#troubleshooting-certificate-verification).
+
### Cluster Troubleshooting Message Errors <a id="troubleshooting-cluster-message-errors"></a>
* Within a config master zone, only one configuration master is allowed to have its config in `/etc/icinga2/zones.d`.
** The master syncs the configuration to `/var/lib/icinga2/api/zones/` during startup and only syncs valid configuration to the other nodes.
-** The other nodes receive the configuration into `/var/lib/icinga2/api/zones/`.
+** The other nodes receive the configuration into `/var/lib/icinga2/api/zones-stage` and copy them to the production directory `/var/lib/icinga2/api/zones` upon successful validation (since v2.11).
* The `icinga2.log` log file in `/var/log/icinga2` will indicate whether this ApiListener
[accepts config](06-distributed-monitoring.md#distributed-monitoring-top-down-config-sync), or not.
Note: The following description uses `parent node` and `child node`.
This also applies to nodes in the same cluster zone.
-During the connection attempt, an SSL handshake is performed.
+During the connection attempt, a TLS handshake is performed.
If the public certificate of a child node is not signed by the same
CA, the child node is not trusted and the connection will be closed.
-If the SSL handshake succeeds, the parent node reads the
+If the TLS handshake succeeds, the parent node reads the
certificate's common name (CN) of the child node and looks for
a local Endpoint object name configuration.
#### Master Processes Incoming Connection <a id="technical-concepts-tls-network-io-connection-handling-incoming"></a>
* The node starts a new ApiListener, this invokes `AddListener()`
- * Setup SSL Context
+ * Setup TLS Context (SslContext)
* Initialize global I/O engine and create a TCP acceptor
* Resolve bind host/port (optional)
* Listen on IPv4 and IPv6
* Loop over all configured zones, exclude global zones and not direct parent/child zones
* Get the endpoints configured in the zones, exclude: local endpoint, no 'host' attribute, already connected or in progress
* Call `AddConnection()`
-* Spawn a new Coroutine after making the SSL context
+* Spawn a new Coroutine after making the TLS context
* Use the global I/O engine for socket I/O
* Create TLS stream
* Connect to endpoint host/port details
#### Requirements
-OpenSSL 1.0.x doesn't build anymore, so we're explicitly using 1.1.x here.
+Explicitly use OpenSSL 1.1.x, older versions are out of support.
```
brew install ccache boost cmake bison flex openssl@1.1 mysql-connector-c++ postgresql libpq
install requirements:
* enable the `checker`, `notification` and `mainlog` feature by default
-* run 'icinga2 api setup' in order to enable the `api` feature and generate SSL certificates for the node
+* run 'icinga2 api setup' in order to enable the `api` feature and generate TLS certificates for the node
### Run Icinga 2 <a id="development-package-builds-run-icinga"></a>
#### Requirements <a id="development-package-builds-windows-requirements"></a>
* 32 or 64-bit system
-* Visual Studio >= 14 2015
+* Visual Studio >= 14.1 2017
* CMake >= 2.6
-* OpenSSL >= 1.0.1
+* OpenSSL >= 1.1.1
* Flex and Bison
##### Visual Studio
Icinga 2 implements a new built-in
[distributed monitoring architecture](06-distributed-monitoring.md#distributed-monitoring-scenarios),
-including config and check distribution, IPv4/IPv6 support, SSL certificates and zone support for DMZ.
+including config and check distribution, IPv4/IPv6 support, TLS certificates and zone support for DMZ.
High Availability and load balancing are also part of the Icinga 2 Cluster feature, next to local replay
logs on connection loss ensuring that the event history is kept in sync.