[Kea-users] Kea 3 HA with TLS - private keys

Frederick Bloggingtons frederickbloggingtons at gmail.com
Thu Apr 30 08:26:11 UTC 2026 

Hi Peter,

When removing the certificates and keys for dhcp02, the server fails to
start with the following:

2026-04-30 08:23:06.698 ERROR [kea-dhcp4.ha-hooks/2628056.139838400072704]
HA_CONFIGURATION_FAILED failed to configure High Availability hooks
library: bad TLS config for server secondary: load of private key file
'/var/lib/kea/dhcp02_kea_ha_key.pem' failed: No such file or directory
2026-04-30 08:22:36.226 ERROR [kea-dhcp4.ha-hooks/2628022.140280840465408]
HA_CONFIGURATION_FAILED failed to configure High Availability hooks
library: bad TLS config for server secondary: load of cert file
'/var/lib/kea/dhcp02_kea_ha_cert.pem' failed: No such file or directory

Therefore, it doesn't seem possible to remove these files without
adjustment of the config, however since this is a HA setup the config is
required to be the same on both machines.

With that in mind, how are we to remove the private key material from the
machines that should not require it?

Regards,
Fred

On Thu, 30 Apr 2026 at 09:14, Peter Davies <peterd at isc.org> wrote:

> Hi Frederick,
>     When acting as a server, Kea Server 1 presents the server1
> certificate to the
> client (Kea Server 2), who then uses the trust_anchor to verify it.
>
> Kea Server 1 uses the server1 private key to sign data during the
> handshake and
> to  prove it owns that certificate.
>
> You have require-client-certs": true, defined - So when acting as a client,
> Kea Server 1 will present the server1 certificate to the server (Kea
> Server 2),
> who then uses the trust_anchor to verify it.
>
> Therefore /usr/lib/kea/server1_cert.pem" and
> /usr/lib/kea/server1_key.pem need
> only exist on Kea Server 1
>
> The same for Kea Server 2's certificate and key files.
>
> There should be no problem with having all the files on both servers.
>
> /Peter
>
> On 29/04/2026 10.35, Frederick Bloggingtons wrote:
> > require-client-certs": true,
>
> --
> Peter Davies
> Support Engineer
> Internet Systems Corporation
>
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> Kea-users at lists.isc.org
> <https://lists.isc.org/mailman/listinfo/kea-users.Kea-users@lists.isc.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20260430/87e2b85d/attachment-0001.htm>

More information about the Kea-users mailing list