[Kea-users] Kea HA with self signed certs

Rick Frey gribnut at gmail.com
Thu Mar 14 18:22:20 UTC 2024 

I believe that error indicates your Kea server requires a client certificate.  Per Kea documentation, the config parameter "cert-required” default is true.  Would indicate your server config didn’t set or is set to true and you did not provide one in the sample command line.  If you don’t require client cert for authentication, you can set to false in kea-ctl-agent.conf.

> On Mar 13, 2024, at 16:11, CS <cs.temp.mail at gmail.com> wrote:
> 
> Hey guys,
> 
> What does this mean?
> Failed to run: [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2578)
> 
> I'm back again after getting pulled off onto other projects, I am working on getting my small kea cluster running with Micetro.
> 
> Micetro refuses to add the servers and while I'd thought I had solved all my problems with ya'll before (kea daemons appear to be running error free) on re-approaching the problem I have notice I have not been able to get kea-shell to run against either localhost or the other server. 
> 
> My knowledge of creating and using SSL is very poor. For this project alone I worked with the folks on reddit to develop a script for creating the self signed certs. https://www.reddit.com/r/openssl/comments/170r9ko/creating_self_signed_cert_for_kea_encryption/?utm_source=share&utm_medium=web2x&context=3 so I assume the error is somewhere there. But I don't understand the reply when I run kea-shell.
> 
> kea-shell --host 10.111.45.45 --port 8000 --auth-user "bad username" --auth-password "bad password" --ca certs/Certificate_Autority.pem list-commands
> Failed to run: [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2578)
> 
> Do you all know what I've done wrong or what I need to do to make the cert right?
> 
> CS, cs.Temp.Mail at gMail.com
> -- 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> 
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240314/e74841c3/attachment-0001.htm>

More information about the Kea-users mailing list