[Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost

Eric Graham eric.graham at vantagepnt.com
Fri Jun 30 15:53:10 UTC 2023 

Stefan,

I've been down this road and the short answer is to not bother trying to use the various options to skip certificate verification. Those settings don't do what you (I) think they do, and it's easier to just make the certs work.

When you generate the certificates under your CA, add the IP address of each server as an IP SAN. For example, given a key, CA, and CSR, this is how I make a certificate:

HOSTNAME='1.2.3.4'
openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt -CAkey cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN -extfile <(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}")

In my case, I only care to make the certificate work for IP address, so you'll need to adjust the various options (obviously). When you're done, use the -print option to openssl on ${HOSTNAME}.crt to double check that the SAN is added.

Then, double-double check that the CA is imported on both Kea servers, the Stork server, and since you mentioned Docker - also inside any containerized version of the aforementioned.

Again, I don't change any of the verification settings, nor any of the certificates except the ones that I created for Kea to use. Hope this helps.

Eric Graham
DevOps Specialist
Direct: 605.990.1859
Eric.Graham at vantagepnt.com<mailto:eric.graham at vantagepnt.com>
[cid:5d14fe52-b13e-4292-9ba3-9e7c1ad07c1c]
________________________________
From: Kea-users <kea-users-bounces at lists.isc.org> on behalf of Stefan G. Weichinger <lists at xunil.at>
Sent: Friday, June 30, 2023 6:13 AM
To: kea-users at lists.isc.org <kea-users at lists.isc.org>
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost

CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender.

Am 30.06.23 um 12:16 schrieb Stefan G. Weichinger:
>
> After some more restarting and re-registering currently stork looks good.
>
> I assume currently the stork-agents talk to the kea-ctrl-agents
> unencrypted ... I am not 100% sure yet.

Tested flipping this:

kea-ctrl-agent.conf:"cert-required": false

to true

When doing this, the stork-agent has issues trusting the cert:

Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"
level="error" msg="Problem fetching stats from Kea: Post
\"https://10.0.0.231:8000/\": remote error: tls: unknown certificate
authority\nproblem sending POST to
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem
getting stats from
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"
file="  promkeaexporter.go:841  "
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"
level="error" msg="Some errors were encountered while collecting stats
from Kea: Post \"https://10.0.0.231:8000/\": remote error: tls: unknown
certificate authority\nproblem sending POST to
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem
getting stats from
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"
file="  promkeaexporter.go:712  "
Jun 30 13:07:34 adc1 kea-ctrl-agent[759731]: INFO
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 10.0.0.231 failed
with certificate verify failed


And this while the agent.env has:

STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true

So I have to figure out how to make the stork-agent trust that cert.

Do I have to modify /var/lib/stork-agent/certs/ca.pem?

As far as I understand the files there are generated while registering
the stork-agent.

thanks for any help, I think I am close to getting this right

--
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230630/0aca9c6a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-rw1gxn0f.png
Type: image/png
Size: 16388 bytes
Desc: Outlook-rw1gxn0f.png
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230630/0aca9c6a/attachment-0001.png>

More information about the Kea-users mailing list