Description
Hello,
icinga2 does no allow one to specify only intermediate CA as allowed to verify client certificates.
If you put only intermediate cert in file /var/lib/icinga2/certs/ca.crt, server sends to client correct list of allowed CAs for client certs but after API client sends correct cert, icinga2 throws error
information/ApiListener: New client connection for identity '[...]' from [...] (certificate validation failed: code 2: unable to get issuer certificate)
and connection is aborted (icinga2 does not know root CA which is not present in /var/lib/icinga2/certs/ca.crt).
If you put root CA and intermediate CA in /var/lib/icinga2/certs/ca.crt, sever sends to client both CAs and client cert is accepted successfully, but this is too much in scenario when you want to trust only_one intermediate_ and not other intermediate CAs signed by the same root CA.
Checked in icinga2 (2.10.3-2~bpo9+1) from debian stretch-backports; see also similar issue in haproxy:
icinga2 should allow one to specify separate cert files for:
- API client certificate selection (to generate required CA list for client certs; this should allow one to put here only intermediate CA cert)
- client certificate verification (this one may contain additional certs, like root + intermediate CAs)
Regards,
Paweł