Upgrading Debian 9 (Stretch) to Debian 10 (Buster) did not provide a smooth Icinga upgrade in my experience. Maybe the process would have gone more smoothly if I had updated my Icinga apt repo source file from stretch to buster before my OS upgrade from Debian 9 to Debian 10 instead of after?
Debian removed the “icinga2-ido-mysql” package during the upgrade from 9 to 10 because the package relied on an old MariaDB library but kept all of my other icinga2 and icingaweb2 packages.
When I tried to reinstall the “icinga2-ido-mysql” package after a successful upgrade (and reboot) to Debian 10, apt refused due to the MariaDB lib dependency I mentioned.
Here are notes from my upgrade. Hopefully this will save you time if you are attempting to perform the same upgrade. Good luck!
Upgrade Icinga Packages from Stretch to Buster
I upgraded my apt source for icinga per Icinga Debian repo’s online documentation.
echo "deb http://packages.icinga.com/debian icinga-buster main" > /etc/apt/sources.list.d/icinga.list
I then tried to install the Icinga MySQL package again.
apt install icinga2-ido-mysql
But APT refused with the following message:
The following packages have unmet dependencies:
icinga2-ido-mysql : Depends: icinga2-bin (= 2.11.2-1.buster) but 2.11.2-1.stretch is to be installed
Depends: icinga2-common (= 2.11.2-1.buster) but 2.11.2-1.stretch is to be installed
I was able to bypass this message with the following APT install command that forces APT to use a specific version.
apt install icinga2=2.11.2-1.buster icinga2-bin=2.11.2-1.buster icinga2-common=2.11.2-1.buster icinga2-doc=2.11.2-1.buster icinga2-ido-mysql
APT asked me to confirm that I really wanted to “downgrade” to this version and then installed the packages perfectly.
Resolve Icinga “Check Now” Curl Error Message
Afterwards, Icinga was up and running again but I could no longer force an immediate active check of a host or service. When I clicked “Check Now”, I received an error message related to Curl.
Long story short, I learned Apache was still using PHP 7.0 even though Debian 10 ships with PHP 7.3. I may have been able to install the missing PHP 7.0 Curl package, but instead purged PHP 7.0, configured Apache to use PHP 7.3, and installed php-curl for PHP 7.3 to resolve the issue.
apt remove --purge php7.0* apt install php-curl a2enmod php7.3 /etc/init.d/apache2 restart
The Icinga dashboard was acting a little strange afterwards. The main dashboard wasn’t showing any status detail under the headers, but I could see Host and Service detail if I drilled down to the appropriate pages in the left-hand menu. Icinga might have just needed time to rebuild something on the server side, or perhaps clearing my browser cache and logging back in resolved that issue? Either way, the issue did clear up.
Resolving Icinga “CRITICAL – Cannot make SSL connection” Error Message
The default OpenSSL settings in Debian 10 only allow TLS 1.2 connections. If you are monitoring HTTPS services that do not yet support TLS 1.2, you can temporarily modify your OpenSSL configuration so that your Debian OS will allow you to connect to your older TLS 1.0 and TLS 1.1 servers.
Icinga Service Check will fail with the following error:
CRITICAL - Cannot make SSL connection. 22583092848448:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:
Edit your OpenSSL configuration file:
… and replace these TLS settings that require TLS 1.2 and higher:
MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2
… with these TLS settings that allow TLS 1.0 and higher:
MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=1
Your Icinga service check should clear up immediately. No need to restart the web service.
Thanks for Visiting!
Hopefully this helps you get back up and running right away. If this helps you complete your Icinga upgrade from Debian 9 to Debian 10, can you please post a short thanks/reply below so I know this this helped someone out? 🙂 Let me know if you have any details to add.