upstream/icinga-powershell-framework
1
0
Fork 0
mirror of https://github.com/Icinga/icinga-powershell-framework.git synced 2025-12-20 23:00:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #495 from Icinga:feature/check_icinga_agent_certificate_sign_status

Browse source 
Feature: Check Icinga Agent certificate sign status

Adds feature to check the sign status for the local Icinga Agent certificate and notifying the user, in case the certificate is not yet signed by the Icinga CA.
This commit is contained in:
Lord Hepipud 2022-03-17 11:40:03 +01:00 committed by GitHub
commit 3c053ecd7e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 37 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/100-General/10-Changelog.md
View file

@ -22,6 +22,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
### Enhancements ### Enhancements
* [#469](https://github.com/Icinga/icinga-powershell-framework/pull/469) Improves plugin doc generator to allow multi-lines in code examples and updates plugin overview as table, adding a short description on what the plugin is for * [#469](https://github.com/Icinga/icinga-powershell-framework/pull/469) Improves plugin doc generator to allow multi-lines in code examples and updates plugin overview as table, adding a short description on what the plugin is for
* [#495](https://github.com/Icinga/icinga-powershell-framework/pull/495) Adds feature to check the sign status for the local Icinga Agent certificate and notifying the user, in case the certificate is not yet signed by the Icinga CA
## 1.8.0 (2022-02-08) ## 1.8.0 (2022-02-08)

1
doc/300-Knowledge-Base.md
View file

@ -20,3 +20,4 @@ For this reason you will find a list of Icinga knowledge base entries below. Ent
| [IWKB000010](knowledgebase/IWKB000010.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. | | [IWKB000010](knowledgebase/IWKB000010.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. |
| [IWKB000011](knowledgebase/IWKB000011.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. | | [IWKB000011](knowledgebase/IWKB000011.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. |
| [IWKB000012](knowledgebase/IWKB000012.md) | Icinga for Windows cannot be used with Microsoft Defender: `Windows Defender Antivirus has detected malware or other potentially unwanted software` | | [IWKB000012](knowledgebase/IWKB000012.md) | Icinga for Windows cannot be used with Microsoft Defender: `Windows Defender Antivirus has detected malware or other potentially unwanted software` |
| [IWKB000013](knowledgebase/IWKB000013.md) | The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required |

BIN
doc/images/04_knowledgebase/IWKB000013/01_Cert_Not_Signed.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 25 KiB

17
doc/knowledgebase/IWKB000013.md Normal file
View file

@ -0,0 +1,17 @@
# Icinga Knowledge Base - IWKB000013
## Short Message
The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required
## Example Exception
![EventLog Defender](../images/04_knowledgebase/IWKB000013/01_Cert_Not_Signed.png)
## Reason
This warning will occur, whenever Icinga for Windows is fetching the Icinga Agents local certificate, for compiling the `IcingaForWindows.pfx` certificate or by accessing the certificate for dynamically creating the REST-Api TLS certificate.
## Solution
To resolve this issue, you will have to make sure the certificate is signed by the `Icinga CA` by either manually signing the certificate on the `CA master` with `icinga2 ca sign <Fingerprint>` or by using a ticket during the setup process for signing the certificate right away.

10
lib/core/icingaagent/getters/Get-IcingaAgentHostCertificate.psm1
View file

@ -27,6 +27,16 @@ function Get-IcingaAgentHostCertificate()
$Certificate = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $CertPath; $Certificate = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $CertPath;
if ($null -ne $Certificate) {
if ($Certificate.Issuer.ToLower() -eq ([string]::Format('cn={0}', $Hostname).ToLower())) {
Write-IcingaConsoleWarning `
-Message 'The Icinga Agent certificate "{0}" seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work. Please check the state of the certificate and complete the signing process if required. [IWKB000013]' `
-Objects $CertPath;
Write-IcingaEventMessage -EventId 1506 -Namespace 'Framework' -Objects $CertPath;
}
}
return @{ return @{
'CertFile' = $CertPath; 'CertFile' = $CertPath;
'Subject' = $Certificate.Subject; 'Subject' = $Certificate.Subject;

10
lib/core/logging/Icinga_EventLog_Enums.psm1
View file

@ -101,9 +101,15 @@ if ($null -eq $IcingaEventLogEnums -Or $IcingaEventLogEnums.ContainsKey('Framewo
1505 = @{ 1505 = @{
'EntryType' = 'Warning'; 'EntryType' = 'Warning';
'Message' = 'Icinga for Windows JEA context not available'; 'Message' = 'Icinga for Windows JEA context not available';
'Details' = 'The Icinga for Windows JEA session is no longer available and is attempted to be restarted on the system. This could have either happenend due to a crash or a user action, like restarting the WinRM service.'; 'Details' = 'The Icinga for Windows JEA session is no longer available and is attempted to be restarted on the system. This could have either happened due to a crash or a user action, like restarting the WinRM service.';
'EventId' = 1505; 'EventId' = 1505;
}; };
1506 = @{
'EntryType' = 'Error';
'Message' = 'Icinga Agent certificate not signed by Icinga CA';
'Details' = 'The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required [IWKB000013]';
'EventId' = 1506;
};
1550 = @{ 1550 = @{
'EntryType' = 'Error'; 'EntryType' = 'Error';
'Message' = 'Unsupported web authentication used'; 'Message' = 'Unsupported web authentication used';
@ -113,7 +119,7 @@ if ($null -eq $IcingaEventLogEnums -Or $IcingaEventLogEnums.ContainsKey('Framewo
1551 = @{ 1551 = @{
'EntryType' = 'Warning'; 'EntryType' = 'Warning';
'Message' = 'Invalid authentication credentials provided'; 'Message' = 'Invalid authentication credentials provided';
'Details' = 'A web request for a client was rejected because of invalid formated base64 encoded credentials.'; 'Details' = 'A web request for a client was rejected because of invalid formatted base64 encoded credentials.';
'EventId' = 1551; 'EventId' = 1551;
}; };
1552 = @{ 1552 = @{