[Kea-users] Using kea-shell

CS cs.temp.mail at gmail.com
Tue Jan 9 21:54:14 UTC 2024 

Thanks Rick and Darren,
>  Is the CA listening on localhost (127.0.0.1 or ::1 if IPv6) and port
8000?
Yes. Apologies, I may be remiss in that I tried to oversimplify things in
how I stated my question by having one server connect to its own CA through
local but the result is likewise when either server tried to connect to
each other matching the ip address and port defined in conf.

> if you configure your CA to use TLS, you will also need to specify —ca
arg to kea-shell
Thank you for your broad memory! Yes, this is at least where things are
partially wrong. This error I noted in micetro as well "wrong version
number"

$ sudo kea-shell --host x.x.x.x --port 8000 --auth-user kea_user
--auth-password "badpassword" --ca /Certificate_Autority.pem
Failed to run: <urlopen error [SSL: WRONG_VERSION_NUMBER] wrong version
number (_ssl.c:1007)>

and the following logs:
2024-01-09 21:11:13.379 INFO  [kea-ctrl-agent.http/7866]
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with x.x.x.x failed with
http request
2024-01-09 21:11:35.947 INFO  [kea-ctrl-agent.http/7866]
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with x.x.x.x failed with
http request
2024-01-09 21:18:40.074 INFO  [kea-ctrl-agent.http/7866]
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with x.x.x.x failed with
sslv3 alert bad certificate
2024-01-09 21:19:13.815 INFO  [kea-ctrl-agent.http/7866]
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with (unknown address)
failed with tlsv1 alert unknown ca
2024-01-09 21:20:13.606 INFO  [kea-ctrl-agent.http/7866]
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with (unknown address)
failed with sslv3 alert bad certificate

I assume this is why with Darren's advice working with the socket is fine
but curl nets me "Empty reply from server"

I am using a basic self signed cert with its own root Authority. I thought
this might be outside yalls scope and I've been working with open ssl to
make something that seems to be working great with the openssl miniserver
and is working well enough that the TLS on the heartbeats kea seem to be
fine. Not certain I understand SSL well enough to see why my certs would be
TSLv1, but I am using the following script to quickly generate the certs.
Anyone know openssl well enough to see if this is wrong somehow?


#!/usr/bin/env bash
# ca_for_kea.sh

cafile=Certificate_Authority
caname=RootCA
basedn="/O=org.org"
mybase="keacrt"

create_ca() {
  # create CA certificate with 4096bit rsa key, 1826 days = 5 years
  local args_create_ca=(
    -passout pass:Y5LGYJgFBSZZ75
    -newkey  rsa:4096
    -aes256
    -keyout  "$mybase/$cafile.key"
    -x509
    -new
    -sha256
    -days    1826
    -subj    "$basedn/CN=$caname"
    -addext  "keyUsage=critical,keyCertSign"
    -addext  "basicConstraints=critical,CA:true,pathlen:0"
    -out     "$mybase/$cafile.pem"
  )
  openssl req "${args_create_ca[@]}"
}

create_endpoint() {
  # create certificate for service
  local mycertbase="$1" mykeyfile="$2" mycert="$3" myalts="$4"

  local args_create_endpoint=(
    -out    "$mybase/${mycertbase}.csr"
    -keyout "$mybase/$mykeyfile"
    -subj   "$basedn/CN=$mycert"
    -addext "subjectAltName=$myalts"
    -addext "subjectKeyIdentifier=hash"
    -addext
"keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment"
    -addext "extendedKeyUsage=serverAuth,clientAuth"
    -addext "basicConstraints=CA:FALSE"
    -nodes
    -newkey rsa:2048
  )
  openssl req "${args_create_endpoint[@]}"
}

sign_endpoint() {
  local certbase="$1"

  local args_sign_endpoint=(
    -req
    -passin pass:Y5LGYJgFBSZZ75
    -CA     "$mybase/$cafile.pem"
    -CAkey  "$mybase/$cafile.key"
    -in     "$mybase/$certbase.csr"
    -out    "$mybase/$certbase.pem"
    -CAcreateserial
    -days   730
    -sha256
    -copy_extensions copyall
  )
  openssl x509 "${args_sign_endpoint[@]}"
}

# main
mkdir -p "$mybase"

create_ca

myserver=kea1.org.org
create_endpoint ca1_cert ca1_key.pem "$myserver" "DNS:$myserver,IP:x.x.x.1"
sign_endpoint ca1_cert
rm "$mybase/ca1_cert.csr"

dhcp1_cert=dhcp1_cert
create_endpoint "$dhcp1_cert" dhcp1_key.pem "$myserver"
"DNS:$myserver,IP:x.x.x.1"
sign_endpoint "$dhcp1_cert"
rm "$mybase/$dhcp1_cert.csr"


myserver=kea2.org.org
create_endpoint ca2_cert ca2_key.pem "$myserver" "DNS:$myserver,IP:x.x.x.2"
sign_endpoint ca2_cert
rm "$mybase/ca2_cert.csr"

dhcp2_cert=dhcp2_cert
create_endpoint "$dhcp2_cert" dhcp2_key.pem "$myserver"
"DNS:$myserver,IP:x.x.x.2"
sign_endpoint "$dhcp2_cert"
rm "$mybase/$dhcp2_cert.csr"


CS, cs.Temp.Mail at gMail.com


On Tue, 9 Jan 2024 at 02:55, Darren Ankney <darren.ankney at gmail.com> wrote:

> Hi,
>
> You may also want to start at the Kea server and work backwards.  You
> can talk directly to the Kea server as described here:
>
> https://kea.readthedocs.io/en/kea-2.4.1/arm/ctrl-channel.html#using-the-control-channel
> by doing something like:
>
> echo '{"command": "config-get"}' | sudo socat
> UNIX:/path/to/the/kea/socket -,ignoreeof | jq
>
> The "jq" portion is optional but nicely formats the json result.
>
> "/path/to/the/kea/socket" would be the socket as specified in your
> dhcp4 configuration file.
>
> If that works, then you can try sending the same thing to the control
> agent using curl.  Something like this:
>
> curl -X POST -H "Content-Type: application/json" -d '{ "command":
> "config-get", "service": [ "dhcp4" ] }' http://ca.example.org:8000/
>
> replace "http://ca.example.org:8000/" with the correct url (e.g.,
> https://127.0.0.1:8000/).  You may need to consult the curl
> documentation if using ssl.
>
> curl might give a more descriptive error message.
>
> Thank you,
>
> Darren Ankney
>
> On Mon, Jan 8, 2024 at 11:00 PM Rick Frey <gribnut at gmail.com> wrote:
> >
> > Connection refused would indicate that kea-shell is unable to connect to
> specified address and port.  First step would be to verify the CA is
> listening on the address and port you are specifying as args to kea-shell.
> Is the CA listening on localhost (127.0.0.1 or ::1 if IPv6) and port 8000?
> > In an earlier thread around CA connectivity issues, your redacted config
> for the CA indicated you were specifying an address using directive
> http-address.  See Kea Docs (
> https://kea.readthedocs.io/en/kea-2.4.1/arm/agent.html#configuration for
> info on CA http-address and http-port.  If you are specifying http-address
> and/or http-port for CA, the kea-shell args for —host and —port must match.
> >
> > Note that if you configure your CA to use TLS, you will also need to
> specify —ca arg to kea-shell (see
> https://kea.readthedocs.io/en/kea-2.4.1/arm/shell.html#tls-support ).  I
> don’t believe there is means to ignore a cert hostname mismatch for
> kea-shell (would require using a cert that contains an SAN that matches the
> hostname or IP adddress used for —host arg).  Mainly mentioning since your
> earlier threads indicated you may be using TLS for CA as well.
> >
> >
> > On Jan 8, 2024, at 2:30 PM, CS <cs.temp.mail at gmail.com> wrote:
> >
> > Still trying to get my deployment to play nice with micetro. Everything
> it up and working as far as I know. Good status on the CA and DHCP4 daemons
> and logging heartbeats between my HA servers leads me to believe so.
> > But trying to touch the kea control agent
> >
> > sudo kea-shell --host localhost --port 8000 --auth-user keauser
> --auth-password "bad password" --service dhcp4 list-commands
> >
> > <ctrl+d>
> >
> > Failed to run: <urlopen error [Errno 111] Connection refused>
> >
> >
> > makes me think otherwise. Nothing gets logged to the CA or DHCP4 verbose
> logs either. Just refuses the connection... am I missing something simple?
> >
> > CS, cs.Temp.Mail at gMail.com
> > --
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/kea-users
> >
> >
> > --
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/kea-users
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240109/2f5120bb/attachment.htm>

More information about the Kea-users mailing list