[Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan G. Weichinger
lists at xunil.at
Fri Jun 30 16:23:16 UTC 2023
Am 30.06.23 um 17:53 schrieb Eric Graham:
> Stefan,
>
> I've been down this road and the short answer is to not bother trying to
> use the various options to skip certificate verification. Those settings
> don't do what you (I) think they do, and it's easier to just make the
> certs work.
>
> When you generate the certificates under your CA, add the IP address of
> each server as an IP SAN. For example, given a key, CA, and CSR, this is
> how I make a certificate:
>
> *HOSTNAME='1.2.3.4'*
> *openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt
> -CAkey cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN
> -extfile <(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}")*
> *
> *
> In my case, I only care to make the certificate work for IP address, so
> you'll need to adjust the various options (obviously). When you're done,
> use the *-print* option to openssl on *${HOSTNAME}.crt* to double check
> that the SAN is added.
>
> Then, double-double check that the CA is imported on both Kea servers,
> the Stork server, and since you mentioned Docker - also inside any
> containerized version of the aforementioned.
>
> Again, I don't change any of the verification settings, nor any of the
> certificates except the ones that I created for Kea to use. Hope this helps.
Thanks for pointing this out. My certs were done like:
openssl req -nodes -newkey rsa:2048 -keyout server_adc1.key -out
server_adc1.csr -subj
"/C=some/ST=some/L=there/O=ISC-Kea/OU=adc1/CN=adc1/emailAddress=adr at my.tld"
so I have no IP SAN, right (grepped that command from a gist on github
and modified it).
I wanted to get it right with FQDNs in there etc ...
I will give your approach a try next week or so, currently on the train
and not touching anything anymore today.
How to double-double-check the CA import? I added it to
/usr/local/share/ca-certificates/ and ran update-ca-certificates , so
the ca.crt should be in the system's keystore.
Is that enough to make stork trust it?
I assume so as I didn't find a specific setting/variable to define a TLS
CA for the stork-agent.
So it's very likely that adding that IP SAN to the cert fixes things.
I will see next week ;-)
Thanks, have a nice weekend.
Stefan
More information about the Kea-users
mailing list