critical/cli: Could not fetch valid response. Please check the master log.

[jqrung]

Ubuntu 18.04.2 LTS server

icinga2 version:

root@master-207:/var/lib/icinga2/ca# icinga2 --version |head
icinga2 - The Icinga 2 network monitoring daemon (version: r2.10.5-1)

root@node1:/var/lib/icinga2/certs# icinga2 --version |head
icinga2 - The Icinga 2 network monitoring daemon (version: r2.10.5-1)

client

sudo icinga2 node wizard

critical/cli: Could not fetch valid response. Please check the master log.
critical/cli: Failed to fetch signed certificate from master '10.0.0.207, 5665'. Please try again.

server log

[2019-07-26 19:11:07 +0800] information/ApiListener: No data received on new API connection. Ensure that the remote endpoints are properly configured in a cluster setup.
[2019-07-26 19:11:17 +0800] information/ApiListener: New client connection for identity 'node1' from [10.0.0.206]:23802 (certificate validation failed: code 18: self signed certificate)
[2019-07-26 19:11:27 +0800] warning/ApiListener: No data received on new API connection for identity 'node1'. Ensure that the remote endpoints are properly configured in a cluster setup.
Context:
        (0) Handling new API client connection

refer this url ,but not result
https://icinga.com/2017/08/30/advisory-for-ssl-problems-with-leading-zeros-on-openssl-1-1-0/

root@master-207:/var/lib/icinga2/ca# openssl x509 -text -in ca.crt |head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            95:f9:2b:a8:fd:00:21:88:91:d8:1b:81:47:3e:69:cc:3b:62:2c:07
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Icinga CA
        Validity
            Not Before: Jul 26 09:45:10 2019 GMT
            Not After : Jul 22 09:45:10 2034 GMT

root@node1:/var/lib/icinga2/certs# openssl req -text -in node1.csr |head
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = node1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

root@node1:/var/lib/icinga2/certs# openssl x509 -text -in node1.crt |head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:78:4b:14:d9:f3:89:eb:db:70:92:91:bd:b6:3f:90:5b:40:f5:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = node1
        Validity
            Not Before: Jul 26 11:22:49 2019 GMT
            Not After : Jul 22 11:22:49 2034 GMT

[Crunsher]

Can you make a connection using openssl s_server and s_client?

This should work if you need a guide: https://superhero.ninja/2015/07/22/create-a-simple-https-server-with-openssl-s_server/

[jqrung]

thank you very much!

i test look

user@1804-201:~$ openssl version
OpenSSL 1.1.1  11 Sep 2018

user@1804-202:~$ openssl version
OpenSSL 1.1.1  11 Sep 2018

user@1804-201:~$ netstat -lntup |grep 44330
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6       0      0 :::44330                :::*                    LISTEN      1913/openssl


user@1804-201:~$ openssl s_client -connect localhost:44330 |head 
depth=0 C = CN, ST = SH, L = SH, O = DFNF, OU = IT, CN = webserver, emailAddress = test@foxmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = SH, L = SH, O = DFNF, OU = IT, CN = webserver, emailAddress = test@foxmail.com
verify return:1
CONNECTED(00000005)

user@1804-202:~$ telnet 10.0.0.201 44330
Trying 10.0.0.201...
Connected to 10.0.0.201.
Escape character is '^]'.

[jqrung]

and https is this

https://10.0.0.201:44330/

s_server -key key.pem -cert cert.pem -accept 44330 -www 
Secure Renegotiation IS supported
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256 
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384 
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384 
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-RSA-CHACHA20-POLY1305 
TLSv1.2    :DHE-RSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-ECDSA-AES128-GCM-SHA256 
TLSv1.2    :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2    :DHE-RSA-AES128-GCM-SHA256 
TLSv1.2    :ECDHE-ECDSA-AES256-SHA384 TLSv1.2    :ECDHE-RSA-AES256-SHA384   
TLSv1.2    :DHE-RSA-AES256-SHA256     TLSv1.2    :ECDHE-ECDSA-AES128-SHA256 
TLSv1.2    :ECDHE-RSA-AES128-SHA256   TLSv1.2    :DHE-RSA-AES128-SHA256     
TLSv1.0    :ECDHE-ECDSA-AES256-SHA    TLSv1.0    :ECDHE-RSA-AES256-SHA      
SSLv3      :DHE-RSA-AES256-SHA        TLSv1.0    :ECDHE-ECDSA-AES128-SHA    
TLSv1.0    :ECDHE-RSA-AES128-SHA      SSLv3      :DHE-RSA-AES128-SHA        
TLSv1.2    :RSA-PSK-AES256-GCM-SHA384 TLSv1.2    :DHE-PSK-AES256-GCM-SHA384 
TLSv1.2    :RSA-PSK-CHACHA20-POLY1305 TLSv1.2    :DHE-PSK-CHACHA20-POLY1305 
TLSv1.2    :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2    :AES256-GCM-SHA384         
TLSv1.2    :PSK-AES256-GCM-SHA384     TLSv1.2    :PSK-CHACHA20-POLY1305     
TLSv1.2    :RSA-PSK-AES128-GCM-SHA256 TLSv1.2    :DHE-PSK-AES128-GCM-SHA256 
TLSv1.2    :AES128-GCM-SHA256         TLSv1.2    :PSK-AES128-GCM-SHA256     
TLSv1.2    :AES256-SHA256             TLSv1.2    :AES128-SHA256             
TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA  
SSLv3      :SRP-RSA-AES-256-CBC-SHA   SSLv3      :SRP-AES-256-CBC-SHA       
TLSv1.0    :RSA-PSK-AES256-CBC-SHA384 TLSv1.0    :DHE-PSK-AES256-CBC-SHA384 
SSLv3      :RSA-PSK-AES256-CBC-SHA    SSLv3      :DHE-PSK-AES256-CBC-SHA    
SSLv3      :AES256-SHA                TLSv1.0    :PSK-AES256-CBC-SHA384     
SSLv3      :PSK-AES256-CBC-SHA        TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA256 
TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA  SSLv3      :SRP-RSA-AES-128-CBC-SHA   
SSLv3      :SRP-AES-128-CBC-SHA       TLSv1.0    :RSA-PSK-AES128-CBC-SHA256 
TLSv1.0    :DHE-PSK-AES128-CBC-SHA256 SSLv3      :RSA-PSK-AES128-CBC-SHA    
SSLv3      :DHE-PSK-AES128-CBC-SHA    SSLv3      :AES128-SHA                
TLSv1.0    :PSK-AES128-CBC-SHA256     SSLv3      :PSK-AES128-CBC-SHA        
---
Ciphers common between both SSL end points:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA     ECDHE-RSA-AES128-SHA       ECDHE-ECDSA-AES256-SHA    
ECDHE-RSA-AES256-SHA       AES128-GCM-SHA256          AES256-GCM-SHA384         
AES128-SHA                 AES256-SHA
Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA1:ECDSA+SHA1
Supported Elliptic Groups: 0x8A8A:X25519:P-256:P-384
Shared Elliptic groups: X25519:P-256:P-384
---
No server certificate CA names sent
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 
    Session-ID-ctx: 01000000
    Master-Key: 8E709E855AC600A1163254B6ADD39B7B2AF70967FDEC7BFDA8FFF3F9D8C024ADEFF615E3E60ECE9EF7C5505545F6F78C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1564288549
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   2 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   2 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

[jqrung]

and
i use curl test

user@1804-202:~$ curl http://10.0.0.201/icingaweb2
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.0.0.201/icingaweb2/">here</a>.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.0.0.201 Port 80</address>
</body></html>

user@1804-202:~$ curl https://10.0.0.201:44330/
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

user@1804-201:~$ openssl s_server -key key.pem -cert cert.pem -accept 44330 -www
Using default temp DH parameters
ACCEPT
139729064497600:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
139729064497600:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48

user@1804-201:~$ curl https://10.0.0.201:44330/
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

user@1804-201:~$ openssl s_server -key key.pem -cert cert.pem -accept 44330 -www
Using default temp DH parameters
ACCEPT
139729064497600:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48
139729064497600:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48

[dnsmichi]

Not sure why you are testing port 44330, Icinga 2 listens on 5665.

[Al2Klimov]

Please also tests whether the problem still occurs in v2.11rc1.

[jqrung]

apt-get install this version
version: r2.10.5-1

v2.11rc1. how to install

[jqrung]

Not sure why you are testing port 44330, Icinga 2 listens on 5665.

sorry ，By example test

and I retested ，this is ok ?

openssl test

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

test icinga2

openssl s_server -key key.pem -cert cert.pem -accept 5665 -www

user@master-207:~$ openssl s_server -key key.pem -cert cert.pem -accept 5665 -www
Using default temp DH parameters
139775174971840:error:02006062:system library:bind:Address already in use:../crypto/bio/b_sock2.c:159:
139775174971840:error:20093075:BIO routines:BIO_bind:unable to bind socket:../crypto/bio/b_sock2.c:160:
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

user@master-207:~$ netstat -lntup |grep 5665
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN      -

user@master-207:~$ sudo systemctl stop icinga2

user@master-207:~$ netstat -lntup |grep 5665
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

user@master-207:~$ openssl s_server -key key.pem -cert cert.pem -accept 5665 -www
Using default temp DH parameters
ACCEPT
140493718090176:error:1408F09C:SSL routines:ssl3_get_record:http request:../ssl/record/ssl3_record.c:322:
140493718090176:error:1408F09C:SSL routines:ssl3_get_record:http request:../ssl/record/ssl3_record.c:322:
140493718090176:error:1408F09C:SSL routines:ssl3_get_record:http request:../ssl/record/ssl3_record.c:322:
140493718090176:error:1408F09C:SSL routines:ssl3_get_record:http request:../ssl/record/ssl3_record.c:322:
140493718090176:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46
140493718090176:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46
140493718090176:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46
140493718090176:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46
140493718090176:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46

web

https://10.0.0.207:5665/

s_server -key key.pem -cert cert.pem -accept 5665 -www 
Secure Renegotiation IS NOT supported
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256 
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384 
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384 
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-RSA-CHACHA20-POLY1305 
TLSv1.2    :DHE-RSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-ECDSA-AES128-GCM-SHA256 
TLSv1.2    :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2    :DHE-RSA-AES128-GCM-SHA256 
TLSv1.2    :ECDHE-ECDSA-AES256-SHA384 TLSv1.2    :ECDHE-RSA-AES256-SHA384   
TLSv1.2    :DHE-RSA-AES256-SHA256     TLSv1.2    :ECDHE-ECDSA-AES128-SHA256 
TLSv1.2    :ECDHE-RSA-AES128-SHA256   TLSv1.2    :DHE-RSA-AES128-SHA256     
TLSv1.0    :ECDHE-ECDSA-AES256-SHA    TLSv1.0    :ECDHE-RSA-AES256-SHA      
SSLv3      :DHE-RSA-AES256-SHA        TLSv1.0    :ECDHE-ECDSA-AES128-SHA    
TLSv1.0    :ECDHE-RSA-AES128-SHA      SSLv3      :DHE-RSA-AES128-SHA        
TLSv1.2    :RSA-PSK-AES256-GCM-SHA384 TLSv1.2    :DHE-PSK-AES256-GCM-SHA384 
TLSv1.2    :RSA-PSK-CHACHA20-POLY1305 TLSv1.2    :DHE-PSK-CHACHA20-POLY1305 
TLSv1.2    :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2    :AES256-GCM-SHA384         
TLSv1.2    :PSK-AES256-GCM-SHA384     TLSv1.2    :PSK-CHACHA20-POLY1305     
TLSv1.2    :RSA-PSK-AES128-GCM-SHA256 TLSv1.2    :DHE-PSK-AES128-GCM-SHA256 
TLSv1.2    :AES128-GCM-SHA256         TLSv1.2    :PSK-AES128-GCM-SHA256     
TLSv1.2    :AES256-SHA256             TLSv1.2    :AES128-SHA256             
TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA  
SSLv3      :SRP-RSA-AES-256-CBC-SHA   SSLv3      :SRP-AES-256-CBC-SHA       
TLSv1.0    :RSA-PSK-AES256-CBC-SHA384 TLSv1.0    :DHE-PSK-AES256-CBC-SHA384 
SSLv3      :RSA-PSK-AES256-CBC-SHA    SSLv3      :DHE-PSK-AES256-CBC-SHA    
SSLv3      :AES256-SHA                TLSv1.0    :PSK-AES256-CBC-SHA384     
SSLv3      :PSK-AES256-CBC-SHA        TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA256 
TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA  SSLv3      :SRP-RSA-AES-128-CBC-SHA   
SSLv3      :SRP-AES-128-CBC-SHA       TLSv1.0    :RSA-PSK-AES128-CBC-SHA256 
TLSv1.0    :DHE-PSK-AES128-CBC-SHA256 SSLv3      :RSA-PSK-AES128-CBC-SHA    
SSLv3      :DHE-PSK-AES128-CBC-SHA    SSLv3      :AES128-SHA                
TLSv1.0    :PSK-AES128-CBC-SHA256     SSLv3      :PSK-AES128-CBC-SHA        
---
Ciphers common between both SSL end points:
TLS_AES_128_GCM_SHA256     TLS_AES_256_GCM_SHA384     TLS_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-SHA       ECDHE-RSA-AES256-SHA       AES128-GCM-SHA256         
AES256-GCM-SHA384          AES128-SHA                 AES256-SHA
Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Supported Elliptic Groups: 0xCACA:X25519:P-256:P-384
Shared Elliptic groups: X25519:P-256:P-384
---
No server certificate CA names sent
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 0729D1A5600C310B50ABB524D56ED67DD5D3E691502EFEE59E00F953A563CABA
    Session-ID-ctx: 01000000
    Resumption PSK: F95AD493EE428D5C50FFC054462046B191EC09A43168616E0992B4C11E404F0C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1564555247
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   9 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

[jqrung]

user@master-207:~$ openssl s_client -connect localhost:5665
CONNECTED(00000005)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
   i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUXEy2m3Zz6SaMPxKKMsY5TZk8Wx0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA3MzEwNjM4MTdaFw0yMDA3
MzAwNjM4MTdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDOj1z53aGtjdqjdyi4b82pNH4zPf93CH5a/ucdFZxZ
GRM9d/P/nDAQGXA/Ayu/nQDiq9DEUeHkSGzvV9zFFc7yjm6loMY56ZE5zwnHKiGV
eyPfBPwAyiOOyJKM26VBnLNwLTYhs+TkqKpa/TxwnTt3jxyjIQ/EBXXTBL4G4AFN
5qSKVIejWnyiW2L4MnVwnr0e37GdKr5kBEDNNhtzhbHwi41suTU9msE09CP4+eUY
fffConD8UxWH7+plCpYcImyytxrUZtNKm9RObayqyB+0dhr+ofowq8PKknqR8Wee
xdSl3EOu4U1XeENdQUmiKj2zbRiXrvnLG0e4Yft019SrAgMBAAGjUzBRMB0GA1Ud
DgQWBBRGXigikRFBKast4+l/Msa0AKyGuDAfBgNVHSMEGDAWgBRGXigikRFBKast
4+l/Msa0AKyGuDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBa
KhS+rGZoaLMLdRzN3Z0mevw3Z0DgKP4nHInhSSHaGuIUgOHxAPQfrY/Zjsrh42Wu
QIHMH5KA0mFJMs4+5wF42KecYccAANNTCYAoYgMp0FnlT5pY/UO/mR/IqjI8+ls6
sG3Hiv5BteBODUlVlVI3HQGqsr0li5mjSWWicCUehdGY9iKgiJ2GNfddnuF1gOvu
oev/EdM9MZooJFH1KzLtWsqgfGP4ubOXXYE/lpH75cnQW5RrbtUO/eF7e6groP7k
mXjPkA+wm2ImsJh/zO6MHUD7Ht4JLOP+IpjynPja1BFhVKSfV13VREEU6EHehSFK
WCCIDyNnjBpu41ZA4xh5
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1435 bytes and written 391 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5A85F0290859C665D7444C290DA027AD5B776E7ABE3602CCD60E9A2A51E0AAFB
    Session-ID-ctx: 
    Resumption PSK: A8A08BD5ECDA8DC703D12F5E240439698ECAF30256C9CC9F67C9A30EF4DD30BB55A2414B12750C97693D36956516AB7E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 dd 08 f9 e1 54 21 fc-08 66 44 ec 30 e5 dd 2d   9....T!..fD.0..-
    0010 - 7c 26 23 08 e7 89 d1 69-5e d6 a6 15 2c 64 6a d0   |&#....i^...,dj.
    0020 - 41 7d 5a de 3b 46 fa 81-98 c9 dd 1e ad 08 ac 6e   A}Z.;F.........n
    0030 - b4 a2 f7 33 d6 63 11 d2-f7 45 34 41 82 19 8e ef   ...3.c...E4A....
    0040 - 55 5c 0f d8 34 55 ae cf-88 31 af a2 ea 8d 7b 6a   U\..4U...1....{j
    0050 - 13 bb e6 3b 96 99 50 85-6b fd 07 8a c7 c5 8c a3   ...;..P.k.......
    0060 - 7c 99 8e 33 10 13 9d 6f-40 e9 ca 5d c9 7f d2 11   |..3...o@..]....
    0070 - 6d 18 59 c3 75 21 91 4e-ff 14 97 5f c7 de 30 f4   m.Y.u!.N..._..0.
    0080 - 49 37 54 f5 45 7a 65 41-43 c7 ab e0 45 b5 63 51   I7T.EzeAC...E.cQ
    0090 - 7e 87 79 c9 49 ec fa bd-d8 65 d0 57 a4 9e 20 f6   ~.y.I....e.W.. .
    00a0 - bf cf fa 1a 6a d3 81 da-fb 4a a4 94 71 81 97 0d   ....j....J..q...
    00b0 - 43 d8 43 68 15 37 ef f7-5a 73 86 c4 19 8c c0 e4   C.Ch.7..Zs......
    00c0 - ad 6d c6 d4 b7 81 5c d0-30 97 d3 75 37 c9 a2 c9   .m....\.0..u7...

    Start Time: 1564555549
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D4587D67538D3C0CB50BE50B1AFF527A742C850889A617E99AC70D9FFD8A9C7A
    Session-ID-ctx: 
    Resumption PSK: 36AC71677D84505D17E0F198E85FA5E3B1ACB8D344421D2804D28A05B57DAAD3D1BB70D6531F705AE1CA0D7579F1C210
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 dd 08 f9 e1 54 21 fc-08 66 44 ec 30 e5 dd 2d   9....T!..fD.0..-
    0010 - 72 35 ad 6a a4 f7 9c 48-cc 51 eb a8 07 32 7c 29   r5.j...H.Q...2|)
    0020 - e0 3a e9 a5 ad c9 d9 b4-f9 f0 16 d4 f2 c2 d7 a4   .:..............
    0030 - 8b c0 f8 2e d8 97 6d 61-3e 03 a0 f1 d2 f5 9f 3d   ......ma>......=
    0040 - 62 d2 35 83 11 1d ca 99-88 bd de 22 60 89 c4 d6   b.5........"`...
    0050 - 55 b9 2f 6f a0 a1 38 34-d9 e4 a2 83 a8 a3 16 be   U./o..84........
    0060 - 28 52 e8 c6 18 b1 b1 e9-fb 1e 8e 79 2c ff 71 e1   (R.........y,.q.
    0070 - 8a fc 16 a5 eb 65 fb aa-c1 77 32 10 17 3d b2 12   .....e...w2..=..
    0080 - d4 6a 23 01 fb 42 3b ca-be 48 31 ef f4 d5 7e b5   .j#..B;..H1...~.
    0090 - 35 a3 f3 c4 9f 61 db 62-cb 28 46 cd ab 0f b2 8c   5....a.b.(F.....
    00a0 - 21 08 c8 f2 c2 ca 3a c0-dc 71 69 d1 2e a8 1b e7   !.....:..qi.....
    00b0 - f5 41 14 3f 8a 58 43 1f-45 49 5e de 41 3f 18 3d   .A.?.XC.EI^.A?.=
    00c0 - b9 76 ae 42 19 87 51 06-92 50 03 0a 15 37 1e d7   .v.B..Q..P...7..

    Start Time: 1564555549
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

user@node1:~$ openssl s_client -connect 10.0.0.207:5665
CONNECTED(00000005)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
   i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUXEy2m3Zz6SaMPxKKMsY5TZk8Wx0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA3MzEwNjM4MTdaFw0yMDA3
MzAwNjM4MTdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDOj1z53aGtjdqjdyi4b82pNH4zPf93CH5a/ucdFZxZ
GRM9d/P/nDAQGXA/Ayu/nQDiq9DEUeHkSGzvV9zFFc7yjm6loMY56ZE5zwnHKiGV
eyPfBPwAyiOOyJKM26VBnLNwLTYhs+TkqKpa/TxwnTt3jxyjIQ/EBXXTBL4G4AFN
5qSKVIejWnyiW2L4MnVwnr0e37GdKr5kBEDNNhtzhbHwi41suTU9msE09CP4+eUY
fffConD8UxWH7+plCpYcImyytxrUZtNKm9RObayqyB+0dhr+ofowq8PKknqR8Wee
xdSl3EOu4U1XeENdQUmiKj2zbRiXrvnLG0e4Yft019SrAgMBAAGjUzBRMB0GA1Ud
DgQWBBRGXigikRFBKast4+l/Msa0AKyGuDAfBgNVHSMEGDAWgBRGXigikRFBKast
4+l/Msa0AKyGuDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBa
KhS+rGZoaLMLdRzN3Z0mevw3Z0DgKP4nHInhSSHaGuIUgOHxAPQfrY/Zjsrh42Wu
QIHMH5KA0mFJMs4+5wF42KecYccAANNTCYAoYgMp0FnlT5pY/UO/mR/IqjI8+ls6
sG3Hiv5BteBODUlVlVI3HQGqsr0li5mjSWWicCUehdGY9iKgiJ2GNfddnuF1gOvu
oev/EdM9MZooJFH1KzLtWsqgfGP4ubOXXYE/lpH75cnQW5RrbtUO/eF7e6groP7k
mXjPkA+wm2ImsJh/zO6MHUD7Ht4JLOP+IpjynPja1BFhVKSfV13VREEU6EHehSFK
WCCIDyNnjBpu41ZA4xh5
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1435 bytes and written 392 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3256D96EBF29133BCAA8E871FB4A61E6C2A735AE935984A6D2A7946D7FE08C75
    Session-ID-ctx: 
    Resumption PSK: 0F9203F7277CC93D8B4E9F21C1FAD8A1BACD0F6C5D14D925B8DB30FF3BEA516AF08D0554FEC252B857F8B19849C2028F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 dd 08 f9 e1 54 21 fc-08 66 44 ec 30 e5 dd 2d   9....T!..fD.0..-
    0010 - e3 9d 7c 62 9c 87 39 d9-5a 7d 51 7d c4 17 e1 bb   ..|b..9.Z}Q}....
    0020 - 81 86 de 9a 3e 23 2e aa-7f b2 f6 ae a4 37 41 c9   ....>#.......7A.
    0030 - 08 28 fe 54 ff 9b 2a 00-4b 44 4a de c4 84 31 48   .(.T..*.KDJ...1H
    0040 - 66 24 c4 b4 6f 86 7f e4-dd a1 0b 72 c0 55 c6 5c   f$..o......r.U.\
    0050 - 0b 78 72 ec 8c 33 bf 8b-df 93 7f 43 e4 ac b8 ee   .xr..3.....C....
    0060 - d2 fa 00 4b 29 ab 5b ec-d8 50 0e a1 ee 0d 0c 2c   ...K).[..P.....,
    0070 - f7 d2 dc 1a 25 5a 7d 56-a9 87 bf 5f 24 c3 ae 2a   ....%Z}V..._$..*
    0080 - de 3c f4 5e 43 05 95 04-47 36 ab 2b 48 9e f2 76   .<.^C...G6.+H..v
    0090 - 75 68 75 c4 61 c0 7e 02-6e 8a d1 83 33 8e d0 4a   uhu.a.~.n...3..J
    00a0 - 6f 30 b3 a9 88 cd 78 0b-07 a7 33 6b af da a5 ee   o0....x...3k....
    00b0 - 32 98 34 3e 03 46 01 f9-4a eb 59 3b 8f 67 79 df   2.4>.F..J.Y;.gy.
    00c0 - 3d eb 9b f2 04 2e 20 5b-b8 69 a5 c9 be 52 bd 09   =..... [.i...R..

    Start Time: 1564555606
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 380DA5D61549CB0EAE2C8789B64F8AC2F163467ADD90F6376D66E1C6690C1631
    Session-ID-ctx: 
    Resumption PSK: EB14C4BC8F1C52D8D3B1FB6D971F098CE0960DC3554E45E0CA3698B5C3581AF49DC8F6C20EB25A5F5E52DBB364F06D83
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 dd 08 f9 e1 54 21 fc-08 66 44 ec 30 e5 dd 2d   9....T!..fD.0..-
    0010 - c2 71 13 7b 8e 3e b2 3a-19 31 b3 f4 45 af 4e 54   .q.{.>.:.1..E.NT
    0020 - f0 d9 7f 4a 34 fe e8 ba-47 56 92 96 cf 0b 7a 3a   ...J4...GV....z:
    0030 - c3 b0 06 17 56 9a a1 7c-13 45 4e e4 47 d1 b4 f7   ....V..|.EN.G...
    0040 - e8 78 55 60 4e c3 1d d9-17 9d 7c de 96 87 b3 59   .xU`N.....|....Y
    0050 - 88 71 ef d3 f4 ab 17 90-ee 5c dd c2 5a 08 83 ce   .q.......\..Z...
    0060 - e1 da 64 48 96 fd 46 46-19 17 fe 25 b3 9a 76 19   ..dH..FF...%..v.
    0070 - e0 d2 2f aa 68 52 38 72-e5 c5 34 a6 f1 f2 8e dd   ../.hR8r..4.....
    0080 - 76 85 15 ec a6 e0 59 43-20 8f 64 3a 37 a2 72 d8   v.....YC .d:7.r.
    0090 - d1 ec 06 ad 80 b8 6d e8-9b 39 a3 d2 2e 0f 8e a4   ......m..9......
    00a0 - 88 61 42 8f aa 96 12 a0-f4 3b 96 0f 53 cd 35 d4   .aB......;..S.5.
    00b0 - e2 e9 01 aa 6e de 95 5b-51 ac b7 dc fc 96 eb 9a   ....n..[Q.......
    00c0 - 20 18 f8 67 8d 99 e4 6d-a4 12 02 7e ba 2c e7 61    ..g...m...~.,.a

    Start Time: 1564555606
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

[jqrung]

user@master-207:~$ sudo systemctl start icinga2

user@master-207:~$ netstat -lntup |grep 5665
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN      - 

user@node1:~$ openssl s_client -connect 10.0.0.207:5665
CONNECTED(00000005)
depth=1 CN = Icinga CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:CN = master-207
   i:CN = Icinga CA
 1 s:CN = Icinga CA
   i:CN = Icinga CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE3zCCAsegAwIBAgIVAMooWBthWNgyE+HEJmIpH6SlbfAnMA0GCSqGSIb3DQEB
CwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xOTA3MjYwOTQ1MTFaFw0zNDA3
MjIwOTQ1MTFaMBUxEzARBgNVBAMMCm1hc3Rlci0yMDcwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDX0ZyyBCusUByWJS69F5Ki+NGn8/j/UPQAd7afGaVM
/CnDIMdT1pYjRmizBHpoQ3C8e6Le172b2Fug+ozFhYhGlxkr62t/5ZaQ8frhWhOZ
dermzvJpBW0m7yVxJCZheE3pWWQd6qdIsrbpJqWXehvQ3DU0x5qU4w7zppGs0JW4
ANKHRNv70yxzJFIIK4R1hurPE84UsCrHKuTFvAk3Jlktv+yNAUQlXhBj0FW7GwOj
fCz8hbAfvIAAZAkNfTGVc6f+YCtW+fTIzuSkGi4dvDNpOFSbiX5TxbBrGERHe6NN
lM785iciogqkpONwX44TZ754MIGsxSDJ83AYnPXw7vr79uGZ6kb3vQi7DLLFykoN
Vhg334ZEe6ny2IAvRfhLrtS0jo65QAQnIgM99VZ8sVIB2Jq614aJaTFuSia1quY+
b0BN+jXCjwxZbjTdFWjSBxp616Qj/y/kJoPHLbOhRIvzAmw3IJ3Qg6/oQZBBk2xC
i+UnK9TWhABUuUUq/TdIw/ed8h0rz3Jtm04QA2DmFQ+8LdCkfZz+WZWvEyULsxL/
LlSl59+WUQA/r3VhSUdI+G+GOo7//o0yypsnpQIaG2PIarYbQNZPB9JHZvS0R5XA
P1Er6sKwiokjectSDRLQQ8ti8KZgUwIG+QvGnd852cHO5cDBSMjJNGyPbSTJPLRZ
bwIDAQABoycwJTAMBgNVHRMBAf8EAjAAMBUGA1UdEQQOMAyCCm1hc3Rlci0yMDcw
DQYJKoZIhvcNAQELBQADggIBALZpeJF/YnHcbhldZez6ure91aW8o5tjkMrfdB+n
+d0jGJ7TyCKovAiZ3lxqv45pPnHHB6E9rOiaOZBe2sNeYfwYZ1V3lYkxIGjrOPKx
EslPHywF1hi1DpN9KuV4ehirjOQxYM4DkyHY26FJxPWgzksI9cqLYJDibvCPjzBg
r/cPlXBKBQM0VPsTf7xm/DLxE3QtCPDnc2HOHAPVMv19W8+xxRtiMtFIb+IYlDO/
4quj7qkcQi8l67Qom7TAuaGPgcST3gB0Pnv0y9hUxWHCUacL0p8fvXxVgP+Jlsei
7NAc1Vwcnmts03YBLjyuKO17+15bpbWJINtbja8ol83D+LEPEILHyi1bHam4QXSd
ueWARLZe8aM9NtlV0cAQldrHH4RADap2i3ugUKZH/TkbvtB+iwCf7YLZWE+o9ctU
h0I5ieqNrGqjFfg/RJ0hx44eEtn6Wqo0MFpIh7H++iM7GtKSN6iAD//vJzETtA9v
Dha8KFuJuX0Thb1w9c7ohMjfAk+sylcrev/ovbycVS34E5QHsjSCHi+lQxe2Da2u
RpKRVMjANOE0RsBHPPCmDCrLf9JV8UVFo0Wzfq0xIC/BOUznsKcpReZaThXgij03
ZiTxmPEYzAqz/IzQ0IY89iB26PPa6YLT4+KUhiYL4rqCADbMArX8Wm11/FSwnY/F
p/lu
-----END CERTIFICATE-----
subject=CN = master-207

issuer=CN = Icinga CA

---
Acceptable client certificate CA names
CN = Icinga CA
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3399 bytes and written 422 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3AF8C3332056574FE7C20F58C1FD1F9CDA750698645E5E349808574AD58B4B60
    Session-ID-ctx: 
    Resumption PSK: 70E5DE2A87F7242F220624AE5BD801913DBA2B9BA6ADFCF0728CA85776E28CF2570C9EA5425FB024B62BC1FCAF55FA1F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d4 d7 af 1f cf 0c 06 f5-c6 13 6e dc 27 74 a8 34   ..........n.'t.4
    0010 - 7b 8b 11 3d 7b 86 01 69-4c 9f ba b9 a5 19 de 25   {..={..iL......%
    0020 - 06 1e 92 0f 43 7b 05 7b-f7 03 01 7f 0d e2 c1 d7   ....C{.{........
    0030 - c7 4b 50 a4 30 14 e7 d2-f8 29 10 81 70 9d 74 26   .KP.0....)..p.t&
    0040 - b4 ec 60 19 bb 6b 4a 63-d2 84 f4 aa 43 74 09 46   ..`..kJc....Ct.F
    0050 - 73 35 04 93 ec 9b 0d 4f-a5 2d 3b 7a 60 cc fc 62   s5.....O.-;z`..b
    0060 - d8 05 ff 26 d6 f1 d8 ad-55 cb 80 78 a2 b1 95 9a   ...&....U..x....
    0070 - 24 0b 43 c0 02 89 ae 57-bc 89 17 77 53 a7 06 5f   $.C....W...wS.._
    0080 - 83 52 b5 e0 62 a5 db a0-42 a4 cc 49 7b 65 fe f7   .R..b...B..I{e..
    0090 - a0 0c d0 c8 de 4b c8 96-36 72 6f 72 f3 3a eb 15   .....K..6ror.:..
    00a0 - 11 60 8b d4 02 37 2d 9d-2a 4c 9c 5f 59 d7 49 37   .`...7-.*L._Y.I7
    00b0 - e8 41 38 81 d7 db 76 f9-de 2d 83 ee 32 b1 b0 9a   .A8...v..-..2...
    00c0 - 24 6e 61 ce 97 de c8 dd-b7 65 40 76 b2 da 01 76   $na......e@v...v

    Start Time: 1564555824
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2143A5999D3B55712CB7415AEC448A632201D8D915C69BAA7FCFB5FF30683211
    Session-ID-ctx: 
    Resumption PSK: 0D0172FDFF50C89A3F77010FF3EF006899E957FB12AE38D5D1F670A94AEAB1D913EE3A30D298DD756AE94C623F270DA0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d4 d7 af 1f cf 0c 06 f5-c6 13 6e dc 27 74 a8 34   ..........n.'t.4
    0010 - 53 e9 c1 6d fa ce 6b 20-7e b9 a1 87 d3 b6 0b 57   S..m..k ~......W
    0020 - 14 b6 06 3f a1 2a d9 f8-17 00 95 dd 3b 06 bd 83   ...?.*......;...
    0030 - 1b 23 4a 3c e0 66 74 65-82 7e 79 14 48 9d 41 b1   .#J<.fte.~y.H.A.
    0040 - 04 56 23 f1 50 ac 7f b3-43 b4 26 b8 82 5e 44 be   .V#.P...C.&..^D.
    0050 - 9b 9e 96 82 81 53 40 28-35 60 e1 7c df 22 5a ae   .....S@(5`.|."Z.
    0060 - a8 64 e8 54 82 e4 54 49-3d fa e0 9b 9f 8f 98 9a   .d.T..TI=.......
    0070 - 39 96 6c a8 4b a5 42 70-5d 8f a9 06 50 f5 88 1d   9.l.K.Bp]...P...
    0080 - 98 3a 84 ff 49 b5 f2 2f-79 15 44 a9 e9 c1 af 66   .:..I../y.D....f
    0090 - 41 fb a1 37 23 32 c6 d4-be e3 9b c9 24 a5 60 a4   A..7#2......$.`.
    00a0 - f1 83 9a c3 1e 6d a7 15-36 53 d8 50 bc 3f 9a f9   .....m..6S.P.?..
    00b0 - 94 1c e0 b0 63 62 9c d6-af 01 9f 66 37 eb 8f e5   ....cb.....f7...
    00c0 - 0f 41 57 44 bf 94 45 96-c0 50 6b ad fa 0c 00 6a   .AWD..E..Pk....j

    Start Time: 1564555825
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

[Al2Klimov]

apt-get install this version
version: r2.10.5-1

v2.11rc1. how to install

https://icinga.com/2019/07/25/icinga-2-11-release-candidate/

[dnsmichi]

To conclude with, the TLS handshake works, even when TLS v1.3 is into play here. For some reason the master does not send back any data.

This would lead into the assumption that it is highly overloaded or running into locking problems we aim to fix with our network stack rewrite in #7041. Since the RC1 has been released last week, you may want to install this one and try if you can reproduce the issue?

[jqrung]

thank you ,v2.11rc1 test is good，certificate problem solved。

[dnsmichi]

Ok, thanks for the feedback. Watch out for 2.11 at icinga.com/blog then, we're waiting for more test feedback a bit.