[Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost

Eric Graham eric.graham at vantagepnt.com
Thu Jun 29 13:34:18 UTC 2023 

Stefan,

I think so, but I'm not sure if it's best practice to share that certificate with Kea since you'd need to open up permissions a little and allow Kea to read the private key. If you have no qualms with that note, then it's probably worth an attempt, at least. Since Kea shouldn't be running as root, you may need to change group ownership of the certs or use fACLs.

Eric Graham
DevOps Specialist
Direct: 605.990.1859
Eric.Graham at vantagepnt.com<mailto:eric.graham at vantagepnt.com>
[cid:5b21c730-a772-4f63-a022-cd498fb2bc5e]
________________________________
From: Kea-users <kea-users-bounces at lists.isc.org> on behalf of Stefan G. Weichinger <lists at xunil.at>
Sent: Thursday, June 29, 2023 3:02 AM
To: kea-users at lists.isc.org <kea-users at lists.isc.org>
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost

CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender.

Am 28.06.23 um 09:28 schrieb Stefan G. Weichinger:
> Am 27.06.23 um 17:17 schrieb Eric Graham:
>> Stefan,
>>
>> Make sure that when you change the password, you also change it in
>> Stork and in the HA hook config on each daemon of each server.
>>
>> I am not aware of documentation from ISC for generating certificates,
>
> this:
>
> https://github.com/isc-projects/kea/blob/master/src/lib/asiolink/testutils/ca/doc.txt
>
> ?

The two Kea-Servers are also samba-AD-DCs : so they have their own
AD-related TLS-certs here:

# ls -l /var/lib/samba/private/tls
insgesamt 12
-rw-r--r-- 1 root root 2074 30. Nov 2022  ca.pem
-rw-r--r-- 1 root root 2078 30. Nov 2022  cert.pem
-rw------- 1 root root 3243 30. Nov 2022  key.pem

May I "simply" use these for kea as well? I assume so ...
--
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230629/a503d405/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-icmtwfkc.png
Type: image/png
Size: 16388 bytes
Desc: Outlook-icmtwfkc.png
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230629/a503d405/attachment-0001.png>

More information about the Kea-users mailing list