[Kea-users] Kea-DHCP HA

Kraishak Mahtha kraishak.edu at gmail.com
Tue Apr 4 09:21:08 UTC 2023 

Hi Kevin,

Thanks for the response.
'not specified' means 'not specified'; it doesn't mean 'specified but the
file is empty'
-->I didn't emptied the file, as i said I emptied the field values not the
file content like
                    "trust-anchor": "",
                    "cert-file": "",
                    "key-file": "",

The three parameters must be either all not specified (HTTPS disabled) or
all specified (HTTPS enabled). Specification of the empty string is
considered not specified; this can be used, for instance, to disable HTTPS
for a particular peer when it is enabled at the global level.
--> This above line from the kea admin link says the specifying empty
string will disable the HTTPS so I thought of testing such case with giving
empty strings for the fields

Thanks
Kraishak

On Mon, Apr 3, 2023 at 3:33 PM Kevin P. Fleming <
lists.kea-users at kevin.km6g.us> wrote:

> On Mon, Apr 3, 2023, at 03:12, Kraishak Mahtha wrote:
>
> Hi,
>
> While I am checking for the failover section in the kea guide under the
> section
>
>
> https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html?highlight=trust-anchor#https-support
> it says
>
> The three parameters must be either all not specified (HTTPS disabled) or
> all specified (HTTPS enabled)
> --> I tried the case with empty files
> Tried empty values for the fields trust-anchor,cert-file,key-file in
> kea-dhcpd.conf in both primary and secondary but It didn't work then later
> I made empty the fields also in kea-ctrl-agent.conf but still didn't work,
> tried setting the param value require-client-certs and cert-required to
> false but still didn't work
> Again When I replaced it with a certificate file it worked, so I doubt if
> the certificates are mandatory for kea-HA(2.2.0) in the latest version.
>
>
> 'not specified' means 'not specified'; it doesn't mean 'specified but the
> file is empty'. That isn't a valid configuration. Certificates are
> mandatory for TLS support, and are not used at all if TLS support is not
> enabled.
>
>
> And also do we need to run the kea-control agent on both the primary and
> failover servers?
>
>
> If the control agent is being used for HA support, it has to be running on
> every server in the HA group (primary, secondary, and backup).
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230404/d5b93b8b/attachment.htm>

More information about the Kea-users mailing list