From f4dad05a633961de3c63e5aaceecbf213b66110b Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Thu, 9 Nov 2017 15:14:10 +0100 Subject: [PATCH] Fix manual certificate creation chapter in the docs --- doc/06-distributed-monitoring.md | 69 +++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 24 deletions(-) diff --git a/doc/06-distributed-monitoring.md b/doc/06-distributed-monitoring.md index a26c84eeb..1a680977f 100644 --- a/doc/06-distributed-monitoring.md +++ b/doc/06-distributed-monitoring.md @@ -2391,7 +2391,9 @@ Make sure that the directory permissions for `/var/lib/icinga2/ca` are secure **Do not expose these private keys to anywhere else. This is a matter of security.** -### Manual Certificate Creation +### Manual Certificate Creation + +#### Create CA on the Master Choose the host which should store the certificate authority (one of the master nodes). @@ -2400,51 +2402,70 @@ as root user: [root@icinga2-master1.localdomain /root]# icinga2 pki new-ca -Create a certificate signing request (CSR) for each node: +#### Create CSR and Certificate - [root@icinga2-master1.localdomain /root]# icinga2 pki new-cert --cn icinga2-master1.localdomain \ - --key icinga2-master1.localdomain.key \ - --csr icinga2-master1.localdomain.csr +Create a certificate signing request (CSR) for the local instance: + +``` +[root@icinga2-master1.localdomain /root]# icinga2 pki new-cert --cn icinga2-master1.localdomain \ + --key icinga2-master1.localdomain.key \ + --csr icinga2-master1.localdomain.csr +``` Sign the CSR with the previously created CA: - [root@icinga2-master1.localdomain /root]# icinga2 pki sign-csr --csr icinga2-master1.localdomain.csr --cert icinga2-master1.localdomain +``` +[root@icinga2-master1.localdomain /root]# icinga2 pki sign-csr --csr icinga2-master1.localdomain.csr --cert icinga2-master1.localdomain +``` + +Repeat the steps for all instances in your setup. > **Note** > > The certificate location changed in v2.8 to `/var/lib/icinga2/certs`. Please read the [upgrading chapter](16-upgrading-icinga-2.md#upgrading-to-2-8-certificate-paths) > for more details. +#### Copy Certificates + Copy the host's certificate files and the public CA certificate to `/var/lib/icinga2/certs`: - [root@icinga2-master1.localdomain /root]# mkdir -p /var/lib/icinga2/certs - [root@icinga2-master1.localdomain /root]# cp icinga2-master1.localdomain.{crt,key} /var/lib/icinga2/certs - [root@icinga2-master1.localdomain /root]# cp /var/lib/icinga2/ca/ca.crt /var/lib/icinga2/certs +``` +[root@icinga2-master1.localdomain /root]# mkdir -p /var/lib/icinga2/certs +[root@icinga2-master1.localdomain /root]# cp icinga2-master1.localdomain.{crt,key} /var/lib/icinga2/certs +[root@icinga2-master1.localdomain /root]# cp /var/lib/icinga2/ca/ca.crt /var/lib/icinga2/certs +``` Ensure that proper permissions are set (replace `icinga` with the Icinga 2 daemon user): - [root@icinga2-master1.localdomain /root]# chown -R icinga:icinga /var/lib/icinga2/certs - [root@icinga2-master1.localdomain /root]# chmod 600 /var/lib/icinga2/certs/*.key - [root@icinga2-master1.localdomain /root]# chmod 644 /var/lib/icinga2/certs/*.crt +``` +[root@icinga2-master1.localdomain /root]# chown -R icinga:icinga /var/lib/icinga2/certs +[root@icinga2-master1.localdomain /root]# chmod 600 /var/lib/icinga2/certs/*.key +[root@icinga2-master1.localdomain /root]# chmod 644 /var/lib/icinga2/certs/*.crt +``` The CA public and private key are stored in the `/var/lib/icinga2/ca` directory. Keep this path secure and include it in your backups. -Example for creating multiple certificates at once: +#### Create Multiple Certificates - [root@icinga2-master1.localdomain /var/lib/icinga2/certs]# for node in icinga2-master1.localdomain icinga2-master2.localdomain icinga2-satellite1.localdomain; do icinga2 pki new-cert --cn $node --csr $node.csr --key $node.key; done - information/base: Writing private key to 'icinga2-master1.localdomain.key'. - information/base: Writing certificate signing request to 'icinga2-master1.localdomain.csr'. - information/base: Writing private key to 'icinga2-master2.localdomain.key'. - information/base: Writing certificate signing request to 'icinga2-master2.localdomain.csr'. - information/base: Writing private key to 'icinga2-satellite1.localdomain.key'. - information/base: Writing certificate signing request to 'icinga2-satellite1.localdomain.csr'. +Use your preferred method to automate the certificate generation process. - [root@icinga2-master1.localdomain /var/lib/icinga2/certs]# for node in icinga2-master1.localdomain icinga2-master2.localdomain icinga2-satellite1.localdomain; do sudo icinga2 pki sign-csr --csr $node.csr --cert $node.crt; done - information/pki: Writing certificate to file 'icinga2-master1.localdomain.crt'. - information/pki: Writing certificate to file 'icinga2-master2.localdomain.crt'. - information/pki: Writing certificate to file 'icinga2-satellite1.localdomain.crt'. +``` +[root@icinga2-master1.localdomain /var/lib/icinga2/certs]# for node in icinga2-master1.localdomain icinga2-master2.localdomain icinga2-satellite1.localdomain; do icinga2 pki new-cert --cn $node --csr $node.csr --key $node.key; done +information/base: Writing private key to 'icinga2-master1.localdomain.key'. +information/base: Writing certificate signing request to 'icinga2-master1.localdomain.csr'. +information/base: Writing private key to 'icinga2-master2.localdomain.key'. +information/base: Writing certificate signing request to 'icinga2-master2.localdomain.csr'. +information/base: Writing private key to 'icinga2-satellite1.localdomain.key'. +information/base: Writing certificate signing request to 'icinga2-satellite1.localdomain.csr'. +[root@icinga2-master1.localdomain /var/lib/icinga2/certs]# for node in icinga2-master1.localdomain icinga2-master2.localdomain icinga2-satellite1.localdomain; do sudo icinga2 pki sign-csr --csr $node.csr --cert $node.crt; done +information/pki: Writing certificate to file 'icinga2-master1.localdomain.crt'. +information/pki: Writing certificate to file 'icinga2-master2.localdomain.crt'. +information/pki: Writing certificate to file 'icinga2-satellite1.localdomain.crt'. +``` + +Copy and move these certificates to the respective instances e.g. with SSH/SCP. ## Automation