icingaweb2-module-x509 icon indicating copy to clipboard operation
icingaweb2-module-x509 copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Director sync problems with removed hosts

Open stultitiophobia opened this issue 6 years ago • 5 comments

Describe the bug

When I decommission a host I delete it from the director and search the x509 tables in the database for the host and delete the entries. In the GUI the host is gone and all seems fine. When I sync the hosts from the x509 datasource the host somehow re-appears, but it's not in the x509-database, but seems to be in the icingadirector-database in the imported_property and imported_row tables..

To Reproduce

Re-trigger the sync from the x509 datasource brings back the host.

Expected behavior

The host should not reappear after purge from the database.

Your Environment

latest Ubuntu LTS with latest Icinga and latest modules.

might there be a SQL-query which purges the host so that it does not come back ? might be an error of mine because I'm not the SQL expert...

stultitiophobia avatar Oct 18 '19 10:10 stultitiophobia

latest Ubuntu LTS with latest Icinga and latest modules.

When someone looks into this in 2 months, the versions don't align anymore. Please always add real numbers.

dnsmichi avatar Oct 18 '19 12:10 dnsmichi

You‘re right: Ubuntu 18.04.3 LTS Icinga Programmversion r2.11.1-1 Icinga Web 2 Version 2.7.3 Git Commit 06cabfe8ba28cf545a42c92f25484383191a4e51 PHP Version 7.2.19-0ubuntu0.18.04.2 Git Commit Datum 2019-10-18

stultitiophobia avatar Oct 19 '19 10:10 stultitiophobia

@trendchiller Do you remember which tables in this module you've updated in order to remove decommissioned hosts?

lippserd avatar Feb 27 '20 13:02 lippserd

Plus, remember that if the host still exists in your network, it will reappear when executing related scan jobs. If the host is removed from your network, the module will automatically set the "last seen certificate chain" to null. So I do think that you either did not remove the host completely from x509_target and/or the host still exists and thus it is collected again when executing scan jobs.

lippserd avatar Feb 27 '20 13:02 lippserd

Hi ! sorry for the late reply. i tested it again and the problem persists.

I removed them in x509_certificate x509_certificate_subject_alt_name x509_dn x509_target

they are gone in x509 database but reappear in icinga

stultitiophobia avatar Apr 20 '21 07:04 stultitiophobia

Hi @stultitiophobia, if I do my director syncs and imports properly then everything works as intended and the deleted host also does not automatically reappear after the director sync. However, just to test, after deleting the host from the director and from the x509 database without re-importing it, I ran the director sync and the host reappeared automatically on the web as you described. So you need to re-import each time you delete something from the database before triggering the sync rule, then this won`t happen.

yhabteab avatar Sep 16 '22 10:09 yhabteab