<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Stefan,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
I've been down this road and the short answer is to not bother trying to use the various options to skip certificate verification. Those settings don't do what you (I) think they do, and it's easier to just make the certs work.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
When you generate the certificates under your CA, add the IP address of each server as an IP SAN. For example, given a key, CA, and CSR, this is how I make a certificate:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<b>HOSTNAME='1.2.3.4'</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<strong class="ContentPasted1">openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt -CAkey cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN -extfile <(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}")</strong><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<strong class="ContentPasted1"><br>
</strong></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
In my case, I only care to make the certificate work for IP address, so you'll need to adjust the various options (obviously). When you're done, use the
<b>-print</b> option to openssl on <b>${HOSTNAME}.crt</b> to double check that the SAN is added.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Then, double-double check that the CA is imported on both Kea servers, the Stork server, and since you mentioned Docker - also inside any containerized version of the aforementioned.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Again, I don't change any of the verification settings, nor any of the certificates except the ones that I created for Kea to use. Hope this helps.</div>
<div class="elementToProof">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<b>Eric Graham</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<i>DevOps Specialist</i></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 8pt;">Direct: 605.990.1859</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 8pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"></span><i><br>
</i></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<i><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 8pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"></span></i><a href="mailto:eric.graham@vantagepnt.com" title="mailto:eric.graham@vantagepnt.com"><span style="font-size: 8pt;">Eric.Graham@vantagepnt.com</span></a><i><br>
</i></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<i><img style="max-width:100%" class="ContentPasted0" id="imageSelected0" data-outlook-trace="F:1|T:1" src="cid:5d14fe52-b13e-4292-9ba3-9e7c1ad07c1c"><br>
</i></div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Kea-users <kea-users-bounces@lists.isc.org> on behalf of Stefan G. Weichinger <lists@xunil.at><br>
<b>Sent:</b> Friday, June 30, 2023 6:13 AM<br>
<b>To:</b> kea-users@lists.isc.org <kea-users@lists.isc.org><br>
<b>Subject:</b> Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender.<br>
<br>
Am 30.06.23 um 12:16 schrieb Stefan G. Weichinger:<br>
><br>
> After some more restarting and re-registering currently stork looks good.<br>
><br>
> I assume currently the stork-agents talk to the kea-ctrl-agents<br>
> unencrypted ... I am not 100% sure yet.<br>
<br>
Tested flipping this:<br>
<br>
kea-ctrl-agent.conf:"cert-required": false<br>
<br>
to true<br>
<br>
When doing this, the stork-agent has issues trusting the cert:<br>
<br>
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"<br>
level="error" msg="Problem fetching stats from Kea: Post<br>
\"<a href="https://10.0.0.231:8000/\">https://10.0.0.231:8000/\</a>": remote error: tls: unknown certificate<br>
authority\nproblem sending POST to<br>
<a href="https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem">https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem</a><br>
getting stats from<br>
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"<br>
file="  promkeaexporter.go:841  "<br>
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"<br>
level="error" msg="Some errors were encountered while collecting stats<br>
from Kea: Post \"<a href="https://10.0.0.231:8000/\">https://10.0.0.231:8000/\</a>": remote error: tls: unknown<br>
certificate authority\nproblem sending POST to<br>
<a href="https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem">https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem</a><br>
getting stats from<br>
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"<br>
file="  promkeaexporter.go:712  "<br>
Jun 30 13:07:34 adc1 kea-ctrl-agent[759731]: INFO<br>
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 10.0.0.231 failed<br>
with certificate verify failed<br>
<br>
<br>
And this while the agent.env has:<br>
<br>
STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true<br>
<br>
So I have to figure out how to make the stork-agent trust that cert.<br>
<br>
Do I have to modify /var/lib/stork-agent/certs/ca.pem?<br>
<br>
As far as I understand the files there are generated while registering<br>
the stork-agent.<br>
<br>
thanks for any help, I think I am close to getting this right<br>
<br>
--<br>
ISC funds the development of this software with paid support subscriptions. Contact us at
<a href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.<br>
<br>
To unsubscribe visit <a href="https://lists.isc.org/mailman/listinfo/kea-users">https://lists.isc.org/mailman/listinfo/kea-users</a>.<br>
<br>
Kea-users mailing list<br>
Kea-users@lists.isc.org<br>
<a href="https://lists.isc.org/mailman/listinfo/kea-users">https://lists.isc.org/mailman/listinfo/kea-users</a><br>
</div>
</span></font></div>
</body>
</html>