[stork-users] Stork Agent Custom SSL Certificate

[Justin Krejci]

I recently deployed a new Kea DHCP server and am trying to get the Stork agent to communicate fully with my Stork server.
The issue I am experiencing is the new DHCP server and Stork agent are NAT'ed from the Stork server. From a network perspective this is not an issue as I have allowed the Stork server to communicate with the new Stork agent on the NAT'ed address. This traffic works fine and reaches the Stork agent. The issue is that the Stork agent generates its own SSL key and certificate based on the real IP address (private IP) of the machine and when my Stork server initiates communication to the Stork agent I get the following logged error on my Stork server

level="warning" msg="failed to get state from agent $public_IP:8081: grpc manager is unable to re-establish connection with the agent $public_IP:8081: rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: x509: certificate is valid for $private_IP, not $public_IP\"" file=" statepuller.go:247 "

Basically, the agent certificate is configured for the local IP address but the server is communicating with the NAT'ed address and therefore rejects the certificate because the address does not match.

I have been spending time trying different solutions for the agent to use my own SSL key/cert files but I can not seem to get the agent to use anything other than the ones it generates on its own. I even tried overwriting the key/cert files but they get automatically regenerated. When I tried making the files immutable, then the agent wont start at all with an error that the SSL key/cert files are not able to be regenerated. The only open bug I could find that is somewhat close to this issue is https://gitlab.isc.org/isc-projects/stork/-/issues/478 but it is not exactly my problem.

Stork agent version: 2.0.1.250218103538
Stork agent on Ubuntu 24.04 LTS
Stork agent installed via ISC Cloudsmith repository


I've tried specifying configs in the agent.env file like "STORK_AGENT_CLIENT_CERT=/path/to/file" and "STORK_AGENT_CLIENT_KEY=/path/to/file" but it seems to have no effect after restarting the Stork agent. No matter what I have tried the Stork agent always seems to use its own generated SSL files.

I have seen the stork-tool command but that appears to just be for the Stork server and not the agent.

Is there a way to tell my Stork agent to use my own SSL key/cert files instead? Or is there a way to tell my Stork agent to add an extra IP address to the "Altnames" field of the certificate it generates?

Thanks!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/stork-users/attachments/20250417/525dcbe1/attachment.htm>