[Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Eric Graham
eric.graham at vantagepnt.com
Tue Jun 27 15:17:43 UTC 2023
Stefan,
Make sure that when you change the password, you also change it in Stork and in the HA hook config on each daemon of each server.
I am not aware of documentation from ISC for generating certificates, but here is an article I found that should get you started: https://node-security.com/posts/openssl-creating-a-ca/
You will want to make a CA in this case, and not just self-signed certificates. Make sure if you make the certificates for IP and not hostname, that you add the IP to the SAN field of the certificates. Here's an article from Red Hat about trusting the CA on each host: https://www.redhat.com/sysadmin/ca-certificates-cli Even if you're not in Red Hat-land, it'll get you started.
Eric Graham
DevOps Specialist
Direct: 605.990.1859
Eric.Graham at vantagepnt.com<mailto:eric.graham at vantagepnt.com>
[cid:2e6a83d9-9c45-41bc-86d4-fdd91ce6a9f1]
________________________________
From: Stefan G. Weichinger <lists at xunil.at>
Sent: Tuesday, June 27, 2023 2:57 AM
To: Eric Graham <eric.graham at vantagepnt.com>; kea-users at lists.isc.org <kea-users at lists.isc.org>
Cc: Darren Ankney <darren.ankney at gmail.com>
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender.
Am 23.06.23 um 17:34 schrieb Eric Graham:
> Stefan,
>
> Please be aware that you posted a password in your control agent config.
> I strongly recommend replacing it.
>
> You may prefer to put the socket in /var. Cleaning of /tmp is
> distro-dependent behavior. You'll need to make that change (to the
> socket path) in the control agent and DHCP configs on both servers.
> Stork will pick up the change automatically (without any config
> changes), but the agent may need a restart, as well as all Kea services.
Changed the socket path, we'll see if that improves stability.
Changing the password didn't work yet, I had to roll back. I'll try that
again later.
I have basic-auth in place, but no TLS enabled yet. This might be the
time to add this also, although the 2 machines run in a rather protected
environment. It's just better, and state of the art, to use TLS ...
Any pointers to the kea-docs how to generate working certs? I assume
they could be rather dummy style ...
thanks, regards, Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230627/ce1786e9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-zu13snfd.png
Type: image/png
Size: 16388 bytes
Desc: Outlook-zu13snfd.png
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230627/ce1786e9/attachment-0001.png>
More information about the Kea-users
mailing list