[Kea-users] HA with TLS problems
CS
cs.temp.mail at gmail.com
Fri Dec 15 07:53:54 UTC 2023
Hi all,
I have been combing through the docs and the larger internet for help but
I'm stuck. I am trying to add certs to my 2 HA kea servers but adding the
stanza just causes the daemon to fail to start with little explanation safe
for the hook failed. I feel pretty confident that my certs are good, as I
have tested them with the little openssl cli webserver and I don't have the
foggiest clue what else could be wrong. (I do note that by best practice I
should have a keypair for each ca and each dhcp4, but I don't think that is
causing the problem.)
The control agent is running fine on both servers, for example:
INFO CTRL_AGENT_HTTPS_SERVICE_STARTED HTTPS service bound to address
xxx.xxx.xxx.xx2:8000
INFO DCTL_CONFIG_COMPLETE server has completed configuration: listening on
xxx.xxx.xxx.xx2, port 8000, trust anchor CA.pem, cert file ca2_cert.pem,
key file ca2_key.pem, client certs are required, control sockets: d2 dhcp4
dhcp6, requires basic HTTP authentication, 0 lib(s):
INFO CTRL_AGENT_STARTED Kea Control Agent version 2.2.0 started
But here are the relevant parameters
"Control-agent": {
"http-host": "xxx.xxx.xxx.xx2",
"trust-anchor": "CA.pem",
"cert-file": "ca2_cert.pem",
"key-file": "ca2_key.pem",
"cert-required": true,
"http-port": 8000,
"authentication": {
"type": "basic",
"realm": "kea-control-agent",
"clients": [{
"user": "baduser",
"password": "badpassword"
}]
},
The DHCP4 daemon however refuses to start when the 3 TLS parameters are
added and I can not get any more useful logging then what systemctl reports
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 ERROR
[kea-dhcp4.hooks/1124568.140238120309056] HOOKS_LOAD_ERROR 'load' function
in hook library /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so returned
error 1
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO
[kea-dhcp4.ha-hooks/1124568.140238120309056] HA_DEINIT_OK unloading High
Availability hooks library successful
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO
[kea-dhcp4.hooks/1124568.140238120309056] HOOKS_LIBRARY_CLOSED hooks
library /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so successfully
closed
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO
[kea-dhcp4.lease-cmds-hooks/1124568.140238120309056] LEASE_CMDS_DEINIT_OK
unloading Lease Commands hooks library successful
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO
[kea-dhcp4.hooks/1124568.140238120309056] HOOKS_LIBRARY_CLOSED hooks
library /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so
successfully closed
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714
ERROR [kea-dhcp4.dhcp4/1124568.140238120309056] DHCP4_PARSER_COMMIT_FAIL
parser failed to commit changes: One or more hook libraries failed to load
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714
ERROR [kea-dhcp4.dhcp4/1124568.140238120309056] DHCP4_CONFIG_LOAD_FAIL
configuration error using file: /etc/kea/kea-dhcp4.conf, reason: One or
more hook libraries failed to load
Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714
ERROR [kea-dhcp4.dhcp4/1124568.140238120309056] DHCP4_INIT_FAIL failed to
initialize Kea server: configuration error using file
'/etc/kea/kea-dhcp4.conf': One or more hook libraries >
Dec 15 02:41:01 server2 systemd[1]: isc-kea-dhcp4-server.service: Main
process exited, code=exited, status=1/FAILURE
Dec 15 02:41:01 server2 systemd[1]: isc-kea-dhcp4-server.service: Failed
with result 'exit-code'.
The relevant parameters from the dhcp4 config:
"hooks-libraries": [{
"library":
"/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so",
"parameters": {}
},{
"library" :
"/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [{
"this-server-name": "server1.org.org
",
"mode": "load-balancing",
"heartbeat-delay": 10000,
"max-response-delay": 60000,
"max-ack-delay": 5000,
"max-unacked-clients": 0,
"trust-anchor": "CA.pem",
"require-client-certs": true,
"peers": [{
"name": "server1.org.org",
"url": "
http://xxx.xxx.xxx.xx1:8000/ <http://xxx.xxx.xxx.xxx:8000/>",
"cert-file": "ca1_cert.pem",
"key-file": "ca1_key.pem",
"role": "primary",
"auto-failover": true,
"basic-auth-user":
"baduser",
"basic-auth-password":
"badpassword"
},{
"name": "server2.org.org
<http://server1.org.org/>",
"url": "
http://xxx.xxx.xxx.xx2:8000/ <http://xxx.xxx.xxx.xxx:8000/>",
"cert-file": "ca2_cert.pem",
"key-file": "ca2_key.pem",
"role": "secondary",
"auto-failover": true,
"basic-auth-user":
"baduser",
"basic-auth-password":
"badpassword"
}]
}]
}
}]
I feel like I must be missing something simple, but I just can't suss it
out. Any guidance leads or help to be found here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20231214/29a5c28c/attachment.htm>
More information about the Kea-users
mailing list