Merge pull request #495 from Icinga:feature/check_icinga_agent_certificate_sign_status

LordHepipud · web-flow · commit 3c053ecd7ea4 · 2022-03-17T11:40:03.000+01:00
Feature: Check Icinga Agent certificate sign status

Adds feature to check the sign status for the local Icinga Agent certificate and notifying the user, in case the certificate is not yet signed by the Icinga CA.
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -22,6 +22,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 ### Enhancements
 
 * [#469](https://github.com/Icinga/icinga-powershell-framework/pull/469) Improves plugin doc generator to allow multi-lines in code examples and updates plugin overview as table, adding a short description on what the plugin is for
+* [#495](https://github.com/Icinga/icinga-powershell-framework/pull/495) Adds feature to check the sign status for the local Icinga Agent certificate and notifying the user, in case the certificate is not yet signed by the Icinga CA
 
 ## 1.8.0 (2022-02-08)
 
diff --git a/doc/300-Knowledge-Base.md b/doc/300-Knowledge-Base.md
@@ -20,3 +20,4 @@ For this reason you will find a list of Icinga knowledge base entries below. Ent
 | [IWKB000010](knowledgebase/IWKB000010.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. |
 | [IWKB000011](knowledgebase/IWKB000011.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. |
 | [IWKB000012](knowledgebase/IWKB000012.md) | Icinga for Windows cannot be used with Microsoft Defender: `Windows Defender Antivirus has detected malware or other potentially unwanted software` |
+| [IWKB000013](knowledgebase/IWKB000013.md) | The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required |
diff --git a/doc/images/04_knowledgebase/IWKB000013/01_Cert_Not_Signed.png b/doc/images/04_knowledgebase/IWKB000013/01_Cert_Not_Signed.png
diff --git a/doc/knowledgebase/IWKB000013.md b/doc/knowledgebase/IWKB000013.md
@@ -0,0 +1,17 @@
+# Icinga Knowledge Base - IWKB000013
+
+## Short Message
+
+The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required
+
+## Example Exception
+
+![EventLog Defender](../images/04_knowledgebase/IWKB000013/01_Cert_Not_Signed.png)
+
+## Reason
+
+This warning will occur, whenever Icinga for Windows is fetching the Icinga Agents local certificate, for compiling the `IcingaForWindows.pfx` certificate or by accessing the certificate for dynamically creating the REST-Api TLS certificate.
+
+## Solution
+
+To resolve this issue, you will have to make sure the certificate is signed by the `Icinga CA` by either manually signing the certificate on the `CA master` with `icinga2 ca sign <Fingerprint>` or by using a ticket during the setup process for signing the certificate right away.
diff --git a/lib/core/icingaagent/getters/Get-IcingaAgentHostCertificate.psm1 b/lib/core/icingaagent/getters/Get-IcingaAgentHostCertificate.psm1
@@ -27,6 +27,16 @@ function Get-IcingaAgentHostCertificate()
 
     $Certificate = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $CertPath;
 
+    if ($null -ne $Certificate) {
+        if ($Certificate.Issuer.ToLower() -eq ([string]::Format('cn={0}', $Hostname).ToLower())) {
+            Write-IcingaConsoleWarning `
+                -Message 'The Icinga Agent certificate "{0}" seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work. Please check the state of the certificate and complete the signing process if required. [IWKB000013]' `
+                -Objects $CertPath;
+
+            Write-IcingaEventMessage -EventId 1506 -Namespace 'Framework' -Objects $CertPath;
+        }
+    }
+
     return @{
         'CertFile'   = $CertPath;
         'Subject'    = $Certificate.Subject;
diff --git a/lib/core/logging/Icinga_EventLog_Enums.psm1 b/lib/core/logging/Icinga_EventLog_Enums.psm1
@@ -101,9 +101,15 @@ if ($null -eq $IcingaEventLogEnums -Or $IcingaEventLogEnums.ContainsKey('Framewo
             1505 = @{
                 'EntryType' = 'Warning';
                 'Message'   = 'Icinga for Windows JEA context not available';
-                'Details'   = 'The Icinga for Windows JEA session is no longer available and is attempted to be restarted on the system. This could have either happenend due to a crash or a user action, like restarting the WinRM service.';
+                'Details'   = 'The Icinga for Windows JEA session is no longer available and is attempted to be restarted on the system. This could have either happened due to a crash or a user action, like restarting the WinRM service.';
                 'EventId'   = 1505;
             };
+            1506 = @{
+                'EntryType' = 'Error';
+                'Message'   = 'Icinga Agent certificate not signed by Icinga CA';
+                'Details'   = 'The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required [IWKB000013]';
+                'EventId'   = 1506;
+            };
             1550 = @{
                 'EntryType' = 'Error';
                 'Message'   = 'Unsupported web authentication used';
@@ -113,7 +119,7 @@ if ($null -eq $IcingaEventLogEnums -Or $IcingaEventLogEnums.ContainsKey('Framewo
             1551 = @{
                 'EntryType' = 'Warning';
                 'Message'   = 'Invalid authentication credentials provided';
-                'Details'   = 'A web request for a client was rejected because of invalid formated base64 encoded credentials.';
+                'Details'   = 'A web request for a client was rejected because of invalid formatted base64 encoded credentials.';
                 'EventId'   = 1551;
             };
             1552 = @{
