[Kea-users] Kea HA with self signed certs

Thu Mar 14 19:29:48 UTC 2024

I appreciate the suggestion. It might be worth noting that documentation
should include -u for authentication headers IMO, not that I'm expert.

curl (and telnet) to the server's DNS address has the connection refused
(to http and https to FQDN or localhost) but by ip address almost works:
"Empty reply from server" tho telnet works.

curl --insecure -u bad_user:bad_password -X POST -H "Content-Type:
application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }'
xxx.xxx.xxx.xxx:8000

CS, cs.Temp.Mail at gMail.com

On Thu, 14 Mar 2024 at 12:06, Darren Ankney <darren.ankney at gmail.com> wrote:

> Hi,
>
> You might try using "curl" as shown here:
>
>
> https://kea.readthedocs.io/en/kea-2.4.1/arm/ctrl-channel.html#using-the-control-channel
>
> I know very little about SSL, but `--insecure` added to the curl
> command line will cause it to not check validity of certificates.  You
> can also specify cert files on the command line. This should let you
> test your certificate setup more easily I'd think.
>
> Thank you,
> Darren Ankney
>
> On Thu, Mar 14, 2024 at 2:40 PM CS <cs.temp.mail at gmail.com> wrote:
> >
> > Thanks for the reply Rick. In this deployment I have specified in the
> control agent conf:
> > "cert-required": true,
> > "trust-anchor": "Certificate_Autority.pem",
> > "cert-file": "ca1_cert.pem",
> > "key-file": "ca1_key.pem",
> >
> > all pointing to self signed certs created with the help of (basically)
> the script I worked on in the reddit link. Stripping the certs away
> certainly allows the kea-shell commands to work, however this isn't the
> goal.
> >
> > I don't understand the second part of your reply.
> > >or is set to true and you did not provide one in the sample command
> line.
> >
> > Don't I show what you are suggesting I might not have done? "--ca
> Certificate_Autority.pem"
> >
> > CS, cs.Temp.Mail at gMail.com
> >
> >
> > On Thu, 14 Mar 2024 at 11:22, Rick Frey <gribnut at gmail.com> wrote:
> >>
> >> I believe that error indicates your Kea server requires a client
> certificate.  Per Kea documentation, the config parameter "cert-required”
> default is true.  Would indicate your server config didn’t set or is set to
> true and you did not provide one in the sample command line.  If you don’t
> require client cert for authentication, you can set to false in
> kea-ctl-agent.conf.
> >>
> >> On Mar 13, 2024, at 16:11, CS <cs.temp.mail at gmail.com> wrote:
> >>
> >> Hey guys,
> >>
> >> What does this mean?
> >> Failed to run: [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert
> certificate required (_ssl.c:2578)
> >>
> >> I'm back again after getting pulled off onto other projects, I am
> working on getting my small kea cluster running with Micetro.
> >>
> >> Micetro refuses to add the servers and while I'd thought I had solved
> all my problems with ya'll before (kea daemons appear to be running error
> free) on re-approaching the problem I have notice I have not been able to
> get kea-shell to run against either localhost or the other server.
> >>
> >> My knowledge of creating and using SSL is very poor. For this project
> alone I worked with the folks on reddit to develop a script for creating
> the self signed certs.
> https://www.reddit.com/r/openssl/comments/170r9ko/creating_self_signed_cert_for_kea_encryption/?utm_source=share&utm_medium=web2x&context=3
> so I assume the error is somewhere there. But I don't understand the reply
> when I run kea-shell.
> >>
> >> kea-shell --host 10.111.45.45 --port 8000 --auth-user "bad username"
> --auth-password "bad password" --ca certs/Certificate_Autority.pem
> list-commands
> >> Failed to run: [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert
> certificate required (_ssl.c:2578)
> >>
> >> Do you all know what I've done wrong or what I need to do to make the
> cert right?
> >>
> >> CS, cs.Temp.Mail at gMail.com
> >> --
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >>
> >> Kea-users mailing list
> >> Kea-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/kea-users
> >>
> >>
> >> --
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >>
> >> Kea-users mailing list
> >> Kea-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/kea-users
> >
> > --
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/kea-users
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240314/73614fcc/attachment-0001.htm>