[Kea-users] Testing the kea-failover peer with muti threading and TLS support
Kraishak Mahtha
kraishak.edu at gmail.com
Wed Jun 28 11:44:18 UTC 2023
Hi Darren,
I am deploying at my lab currently but, when we get more familiar we will
proceed with production. I tried yes even with 2.3.8 and I am facing an
issue, I thought it could be because of my certificates, and when I am
reading more on this I saw a note in the reference document that
"A sample set of certificates and associated objects is available at
src/lib/asiolink/testutils/ca".
I have downloaded the source from GIT and from the folder
kea-master\kea-master\src\lib\asiolink\testutils\ca I used the following
certificates as follows
"trust-anchor": "/root/kea-server.crt"
"cert-file": "/root/kea-server.csr"
"key-file": "/root/kea-server.key"
But with this, I am getting the following error
11:33:40.411 DEBUG [kea-dhcp4.hooks/13148.140464316582080]
HOOKS_STD_CALLOUT_REGISTERED hooks library
/opt/tcpwave/lib/kea/hooks/libdhcp_ha.so registered standard callout for
hook leases4_committed at address 0x7fc05b249e70
2023-06-28 11:33:40.413 ERROR [kea-dhcp4.ha-hooks/13148.140464316582080]
HA_CONFIGURATION_FAILED failed to configure High Availability hooks
library: bad TLS config for server dhcp1: load of cert file
'/root/kea-server.csr' failed: no start line
Thanks
On Wed, Jun 28, 2023 at 3:47 PM Darren Ankney <darren.ankney at gmail.com>
wrote:
> Hi Kraishak,
>
> When are you deploying? You may want to test with 2.3.8 as the
> release of the next stable (2.4.0) is coming soon. As for certificate
> use, I am not an expert in that area, but I believe that the .pem
> format is most common and correct.
>
> Thank you,
>
> Darren Ankney
>
> On Wed, Jun 28, 2023 at 12:48 AM Kraishak Mahtha <kraishak.edu at gmail.com>
> wrote:
> >
> > Hi Darren,
> > Thank you for the suggestion. I forget to mention, I am using the kea
> 2.2.0 version the last stable one (Yes as its the latest version compared
> to 2.17 ) we don't need kea-control agents and I am using HA+MT I don't
> have dependency on kea-control agent on any of the peer-servers
> >
> > I have one more doubt about the certificate type to be used. In the kea
> 2.2.0 document, The document says "Objects in files must be in the PEM
> format" under section 23.1.2 TLS/HTTPS Configuration.
> > And also I checked the examples config in reference documents, and most
> of them show with .pem files for all three attributes
> > "trust-anchor": /usr/lib/kea/CA.pem,
> > "cert-file": /usr/lib/kea/server1_cert.pem,
> > "key-file": /usr/lib/kea/server1_key.pem
> >
> > 1)So my doubt is do all three certificates should be in .pem format?
> >
> > Asking this because while I am reading about the certificate content, at
> one of the places it says "The sample set of the certificates are available
> at src/lib/asiolink/testutils/ca kea source folder and when I see there I
> don't see .pem files
> > I just want to test with that sample certificates to rule out whether
> the issue is either with the environment setup or with my certificates.
> >
> > Thanks
> >
> > On Wed, Jun 28, 2023 at 2:10 AM Darren Ankney <darren.ankney at gmail.com>
> wrote:
> >>
> >> Hi Kraishak,
> >>
> >> In the latest 2.3.8 ARM, the full quote is:
> >>
> >> "Before Kea 2.1.7 using HTTPS in the HA setup required use of the
> >> Control Agent on all peers."
> >>
> >> followed by:
> >>
> >> "Since Kea 2.1.7 the HTTPS server side is supported:"
> >>
> >> see
> https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support
> >> for full details.
> >>
> >> On Tue, Jun 27, 2023 at 12:26 PM Kraishak Mahtha <
> kraishak.edu at gmail.com> wrote:
> >> >
> >> > Hi, I am using the kea-failover peer with Muti threading enabled
> HA+MT so hence I am not using the control -agent and using it directly, and
> everything is working fine as expected.
> >> > Here now I am trying to use TLS with certificates configured but it
> does not seems to work as expected, When I was reading more on the
> certificates section I see a line saying "using HTTPS in the HA setup
> required use of the Control Agent on all peers", so just to rule out my
> issue with certificates, do we need to use/configure Control agent on all
> peer for TLS even after enabling multi-threading?
> >> >
> >> > Thanks in Advance
> >> > Kraishak
> >> >
> >> > --
> >> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >> >
> >> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users
> .
> >> >
> >> > Kea-users mailing list
> >> > Kea-users at lists.isc.org
> >> > https://lists.isc.org/mailman/listinfo/kea-users
> >> --
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >>
> >> Kea-users mailing list
> >> Kea-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/kea-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230628/0eafc67f/attachment-0001.htm>
More information about the Kea-users
mailing list