Node Wizard: Tell the user to put ca.crt if no connection to parent is selected

This also fixes the choice tree for connection-less questions
and prevents empty tickets being stored on disk.

refs #5450

lib/cli/nodewizardcommand.cpp

@@ -147,6 +147,7 @@ int NodeWizardCommand::ClientSetup(void) const
 {
 	std::string answer;
 	String choice;
+	bool connectToParent = false;
 
 	std::cout << "Starting the Client/Satellite setup routine...\n\n";
 
@@ -200,9 +201,15 @@ wizard_endpoint_loop_start:
 	String parentEndpointPort = "5665";
 
 	if (choice.Contains("n")) {
+		connectToParent = false;
+
 		Log(LogWarning, "cli", "Node to master/satellite connection setup skipped");
-		std::cout << "Connection setup skipped. Please configure your parent node to connect to this node by setting the 'host' attribute for the node Endpoint object.\n";
+		std::cout << "Connection setup skipped. Please configure your parent node to\n"
+		    << "connect to this node by setting the 'host' attribute for the node Endpoint object.\n";
+
 	} else  {
+		connectToParent = true;
+
 		std::cout << ConsoleColorTag(Console_Bold)
 		    << "Please specify the master/satellite connection information:"
 		    << ConsoleColorTag(Console_Normal) << "\n"
@@ -298,7 +305,8 @@ wizard_endpoint_loop_start:
 
 	boost::shared_ptr<X509> trustedParentCert;
 
-	if (!parentHost.IsEmpty()) {
+	/* Check whether we should connect to the parent node and present its trusted certificate. */
+	if (connectToParent) {
 		//save-cert and store the master certificate somewhere
 		Log(LogInformation, "cli")
 		    << "Fetching public certificate from master ("
@@ -326,6 +334,11 @@ wizard_endpoint_loop_start:
 	}
 
 wizard_ticket:
+	String nodeCA = certsDir + "/ca.crt";
+	String ticket;
+
+	/* Check whether we can connect to the parent node and fetch the client and CA certificate. */
+	if (connectToParent) {
 		std::cout << ConsoleColorTag(Console_Bold)
 		    << "\nPlease specify the request ticket generated on your Icinga 2 master (optional)."
 		    << ConsoleColorTag(Console_Normal) << "\n"
@@ -340,10 +353,9 @@ wizard_ticket:
 			    << ConsoleColorTag(Console_Normal) << "\n";
 		}
 
-	String ticket = answer;
+		ticket = answer;
 		ticket = ticket.Trim();
 
-	if (!parentHost.IsEmpty()) {
 		if (ticket.IsEmpty()) {
 			Log(LogInformation, "cli")
 			    << "Requesting certificate without a ticket.";
@@ -352,8 +364,6 @@ wizard_ticket:
 			    << "Requesting certificate with ticket '" << ticket << "'.";
 		}
 
-		String nodeCA = certsDir + "/ca.crt";
-
 		if (Utility::PathExists(nodeCA))
 			NodeUtility::CreateBackupFile(nodeCA);
 		if (Utility::PathExists(nodeCert))
@@ -375,6 +385,25 @@ wizard_ticket:
 			    << "' group '" << group << "' on file '"
 			    << nodeCert << "'. Verify it yourself!";
 		}
+	} else {
+		/* We cannot retrieve the parent certificate.
+		 * Tell the user to manually copy the ca.crt file
+		 * into LocalStateDir + "/lib/icinga2/certs"
+		 */
+
+		std::cout <<  ConsoleColorTag(Console_Bold)
+		    << "\nNo connection to the parent node was specified.\n\n"
+		    << "Please copy the public CA certificate from your master/satellite\n"
+		    << "into '" << nodeCA << "' before starting Icinga 2.\n"
+		    << ConsoleColorTag(Console_Normal);
+
+		if (Utility::PathExists(nodeCA)) {
+			std::cout <<  ConsoleColorTag(Console_Bold)
+			    << "\nFound public CA certificate in '" << nodeCA << "'.\n"
+			    << "Please verify that it is the same as on your master/satellite.\n"
+			    << ConsoleColorTag(Console_Normal);
+		}
+
 	}
 
 	/* apilistener config */
@@ -490,6 +519,7 @@ wizard_ticket:
 	NodeUtility::UpdateConstant("NodeName", cn);
 	NodeUtility::UpdateConstant("ZoneName", cn);
 
+	if (!ticket.IsEmpty()) {
 		String ticketPath = ApiListener::GetCertsDir() + "/ticket";
 
 		String tempTicketPath = Utility::CreateTempFile(ticketPath + ".XXXXXX", 0600, fp);
@@ -515,6 +545,7 @@ wizard_ticket:
 			    << boost::errinfo_errno(errno)
 			    << boost::errinfo_file_name(tempTicketPath));
 		}
+	}
 
 	return 0;
 }