Skip to content

Icinga2 API Connection Error — Quick Fix

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about Icinga2 API Connection Error. We cover key concepts, practical examples, and best practices.

The Problem

Connecting to the Icinga2 API fails. The API client cannot authenticate, the TLS handshake fails, or the API listener is not running. Both the web interface and CLI tools may report connection errors.

Error example:

Could not connect to Icinga API at https://192.168.1.50:5665/
Connection refused
TLS handshake failed: certificate verify failed
HTTP 401: Authentication failed

The Fix

Step 1: Check the API listener status

WRONG — assuming the API listener is always running:

# The API listener must be enabled in Icinga2 configuration

RIGHT — verify the API listener is running:

netstat -tlnp | grep 5665

Output:

tcp6  0  0  :::5665  :::*  LISTEN  12345/icinga2

If not listening, check that the api feature is enabled:

icinga2 feature enable api
systemctl restart icinga2

Step 2: Fix API user authentication

WRONG — using the wrong API username or password:

# API credentials are configured in the API users configuration

RIGHT — verify and test API credentials:

# List API users
cat /etc/icinga2/conf.d/api-users.conf

Output:

object ApiUser "admin" {
  password = "mypassword"
  permissions = [ "*" ]
}

Test the credentials:

curl -k -s -u admin:mypassword https://localhost:5665/v1/status

If authentication fails, check for password typos or special character escaping issues.

Use DodaTech's Icinga2 API Explorer to test API endpoints, verify authentication, and diagnose connection issues interactively.

Prevention Tips

  • Use strong, randomly generated API passwords
  • Enable TLS with valid certificates rather than self-signed
  • Restrict API access by IP in the firewall configuration
  • Monitor the API listener with a service check
  • Use DodaTech's Icinga2 Security Scanner to audit API configurations

Common Mistakes with api connect

  1. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  2. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  3. Using return to exit a function early instead of wrapping a pure value in the monad

These mistakes appear frequently in real-world ICINGA2 code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What port does the Icinga2 API use?

The Icinga2 API listens on TCP port 5665 by default. This is different from the older Icinga 1.x port (5668). Ensure your firewall allows traffic on port 5665 between API clients and the Icinga2 server.

How do I generate a self-signed certificate for the Icinga2 API?

Use the built-in icinga2 CLI: icinga2 pki new-cert --cn icinga2-server.example.com && icinga2 pki save-cert --key icinga2-server.key --cert icinga2-server.crt. For production, use a CA-signed certificate to avoid certificate validation warnings.

Why does the API return "404 Not Found" for valid endpoints?

A 404 response usually means the API endpoint URL is incorrect. Check that you are using the full path (e.g., /v1/objects/hosts) and that the Icinga2 version supports the endpoint. Use curl with the -v flag to see the exact request and response headers.

Related: DodaTech's Icinga2 Web Terminal provides a browser-based API client for executing commands, querying objects, and managing the monitoring configuration.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro