[Kea-users] Kea HA with self signed certs

Thu Mar 14 18:41:26 UTC 2024

Thanks for the reply Rick. In this deployment I have specified in the
control agent conf:
"cert-required": true,
"trust-anchor": "Certificate_Autority.pem",
"cert-file": "ca1_cert.pem",
"key-file": "ca1_key.pem",

all pointing to self signed certs created with the help of (basically) the
script I worked on in the reddit link. Stripping the certs away certainly
allows the kea-shell commands to work, however this isn't the goal.

I don't understand the second part of your reply.
>or is set to true and you did not provide one in the sample command line.

Don't I show what you are suggesting I might not have done? "--ca
Certificate_Autority.pem"

CS, cs.Temp.Mail at gMail.com

On Thu, 14 Mar 2024 at 11:22, Rick Frey <gribnut at gmail.com> wrote:

> I believe that error indicates your Kea server requires a client
> certificate.  Per Kea documentation, the config parameter "cert-required”
> default is true.  Would indicate your server config didn’t set or is set to
> true and you did not provide one in the sample command line.  If you don’t
> require client cert for authentication, you can set to false in
> kea-ctl-agent.conf.
>
> On Mar 13, 2024, at 16:11, CS <cs.temp.mail at gmail.com> wrote:
>
> Hey guys,
>
> What does this mean?
> Failed to run: [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert
> certificate required (_ssl.c:2578)
>
> I'm back again after getting pulled off onto other projects, I am working
> on getting my small kea cluster running with Micetro.
>
> Micetro refuses to add the servers and while I'd thought I had solved all
> my problems with ya'll before (kea daemons appear to be running error free)
> on re-approaching the problem I have notice I have not been able to get
> kea-shell to run against either localhost or the other server.
>
> My knowledge of creating and using SSL is very poor. For this project
> alone I worked with the folks on reddit to develop a script for creating
> the self signed certs.
> https://www.reddit.com/r/openssl/comments/170r9ko/creating_self_signed_cert_for_kea_encryption/?utm_source=share&utm_medium=web2x&context=3
> so I assume the error is somewhere there. But I don't understand the reply
> when I run kea-shell.
>
> kea-shell --host 10.111.45.45 --port 8000 --auth-user "bad username"
> --auth-password "bad password" --ca certs/Certificate_Autority.pem
> list-commands
> Failed to run: [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert
> certificate required (_ssl.c:2578)
>
> Do you all know what I've done wrong or what I need to do to make the cert
> right?
>
> CS, cs.Temp.Mail at gMail.com
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
>
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240314/5b021fce/attachment.htm>