<div dir="ltr"><div>Hi all,</div><div><br></div>I have been combing through the docs and the larger internet for help but I'm stuck. I am trying to add certs to my 2 HA kea servers but adding the stanza just causes the daemon to fail to start with little explanation safe for the hook failed. I feel pretty confident that my certs are good, as I have tested them with the little openssl cli webserver and I don't have the foggiest clue what else could be wrong. (I do note that by best practice I should have a keypair for each ca and each dhcp4, but I don't think that is causing the problem.)<div><br></div><div>The control agent is running fine on both servers, for example:</div><div><br></div><div>INFO  CTRL_AGENT_HTTPS_SERVICE_STARTED HTTPS service bound to address xxx.xxx.xxx.xx2:8000<br>INFO  DCTL_CONFIG_COMPLETE server has completed configuration: listening on xxx.xxx.xxx.xx2, port 8000, trust anchor CA.pem, cert file ca2_cert.pem, key file ca2_key.pem, client certs are required, control sockets: d2 dhcp4 dhcp6, requires basic HTTP authentication, 0 lib(s):<br>INFO  CTRL_AGENT_STARTED Kea Control Agent version 2.2.0 started<br></div><div><br></div><div>But here are the relevant parameters</div><div><br></div><div>"Control-agent": {<br>                "http-host": "xxx.xxx.xxx.xx2",<br>                "trust-anchor": "CA.pem",<br>                "cert-file": "ca2_cert.pem",<br>                "key-file": "ca2_key.pem",<br>                "cert-required": true,<br>                "http-port": 8000,<br>                "authentication": {<br>                        "type": "basic",<br>                        "realm": "kea-control-agent",<br>                        "clients": [{<br>                                "user": "baduser",<br>                                "password": "badpassword"<br>                        }]<br>                },<br></div><div><br></div><div>The DHCP4 daemon however refuses to start when the 3 TLS parameters are added and I can not get any more useful logging then what systemctl reports</div><div><br></div><div>Dec 15 02:41:01 server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 ERROR [kea-dhcp4.hooks/1124568.140238120309056] HOOKS_LOAD_ERROR 'load' function in hook library /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so returned error 1<br>Dec 15 02:41:01  server2 kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO  [kea-dhcp4.ha-hooks/1124568.140238120309056] HA_DEINIT_OK unloading High Availability hooks library successful<br>Dec 15 02:41:01  server2   kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO  [kea-dhcp4.hooks/1124568.140238120309056] HOOKS_LIBRARY_CLOSED hooks library /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so successfully closed<br>Dec 15 02:41:01  server2   kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO  [kea-dhcp4.lease-cmds-hooks/1124568.140238120309056] LEASE_CMDS_DEINIT_OK unloading Lease Commands hooks library successful<br>Dec 15 02:41:01  server2   kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 INFO  [kea-dhcp4.hooks/1124568.140238120309056] HOOKS_LIBRARY_CLOSED hooks library /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so successfully closed<br>Dec 15 02:41:01  server2   kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 ERROR [kea-dhcp4.dhcp4/1124568.140238120309056] DHCP4_PARSER_COMMIT_FAIL parser failed to commit changes: One or more hook libraries failed to load<br>Dec 15 02:41:01  server2   kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 ERROR [kea-dhcp4.dhcp4/1124568.140238120309056] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /etc/kea/kea-dhcp4.conf, reason: One or more hook libraries failed to load<br>Dec 15 02:41:01  server2    kea-dhcp4[1124568]: 2023-12-15 02:41:01.714 ERROR [kea-dhcp4.dhcp4/1124568.140238120309056] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/etc/kea/kea-dhcp4.conf': One or more hook libraries ><br>Dec 15 02:41:01  server2   systemd[1]: isc-kea-dhcp4-server.service: Main process exited, code=exited, status=1/FAILURE<br>Dec 15 02:41:01  server2   systemd[1]: isc-kea-dhcp4-server.service: Failed with result 'exit-code'.<br></div><div><br></div><div>The relevant parameters from the dhcp4 config:</div><div><br></div><div>"hooks-libraries": [{<br>                        "library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so",<br>                        "parameters": {}<br>                },{<br>                        "library" : "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",<br>                        "parameters": {<br>                                "high-availability": [{<br>                                        "this-server-name": "<a href="http://server1.org.org/" target="_blank">server1.org.org</a>",<br>                                        "mode": "load-balancing",<br>                                        "heartbeat-delay": 10000,<br>                                        "max-response-delay": 60000,<br>                                        "max-ack-delay": 5000,<br>                                        "max-unacked-clients": 0,<br>                                        "trust-anchor": "CA.pem",</div><div>                                        "require-client-certs": true,<br>                                        "peers": [{<br>                                                "name": "<a href="http://server1.org.org/" target="_blank">server1.org.org</a>",<br>                                                "url": "<a href="http://xxx.xxx.xxx.xxx:8000/" target="_blank">http://xxx.xxx.xxx.xx1:8000/</a>",<br>                                                "cert-file": "ca1_cert.pem",<br>                                                "key-file": "ca1_key.pem",<br>                                                "role": "primary",<br>                                                "auto-failover": true,<br>                                                "basic-auth-user": "baduser",<br>                                                "basic-auth-password": "badpassword"<br>                                        },{<br>                                                "name": "<a href="http://server1.org.org/" target="_blank">server2.org.org</a>",<br>                                                "url": "<a href="http://xxx.xxx.xxx.xxx:8000/" target="_blank">http://xxx.xxx.xxx.xx2:8000/</a>",<br>                                                "cert-file": "ca2_cert.pem",<br>                                                "key-file": "ca2_key.pem",<br>                                                "role": "secondary",<br>                                                "auto-failover": true,<br>                                                "basic-auth-user": "baduser",<br>                                                "basic-auth-password": "badpassword"<br>                                         }]<br>                                }]<br>                        }<br>                }]<br></div><div><br></div><div>I feel like I must be missing something simple, but I just can't suss it out. Any guidance leads or help to be found here?</div></div>