[stork-users] Stork Agent Custom SSL Certificate
Slawek Figiel
slawek at isc.org
Fri Apr 18 11:10:42 UTC 2025
Hello Justin
You can see these references about replacing certificates.
- My detailed response on this mailing list:
https://lists.isc.org/pipermail/stork-users/2024-November/000362.html
- Our KB article:
https://kb.isc.org/docs/importing-external-certificates-to-stork
However, I think you don't need to do it.
The IP address or hostname embedded into the agent TLS certificate file
is provided by a user during an agent registration. It may be specified by:
- "--host" flag or "STORK_AGENT_HOST" environment variable if the
automatic registration flow is used
- "--agent-host" flag or "STORK_AGENT_HOST" environment variable if the
"register" command is used
- prompt of the "register" command is used and the host flag is not present
This IP address or hostname should be a public one. It means it should
be an address that the Stork server may use to establish a connection to
the agent. The Stork agent doesn't use this address in any way, so it
doesn't need to be valid for the agent machine.
So, please change the host IP that you provide in your Stork agent
configuration to the public one and re-register the agent.
Regards,
Slawek Figiel
On 4/18/25 12:18 AM, Justin Krejci wrote:
> I recently deployed a new Kea DHCP server and am trying to get the Stork
> agent to communicate fully with my Stork server.
> The issue I am experiencing is the new DHCP server and Stork agent are
> NAT'ed from the Stork server. From a network perspective this is not an
> issue as I have allowed the Stork server to communicate with the new
> Stork agent on the NAT'ed address. This traffic works fine and reaches
> the Stork agent. The issue is that the Stork agent generates its own SSL
> key and certificate based on the real IP address (private IP) of the
> machine and when my Stork server initiates communication to the Stork
> agent I get the following logged error on my Stork server
>
> level="warning" msg="failed to get state from agent $public_IP:8081:
> grpc manager is unable to re-establish connection with the agent
> $public_IP:8081: rpc error: code = Unavailable desc = connection error:
> desc = \"transport: authentication handshake failed: x509: certificate
> is valid for $private_IP, not $public_IP\"" file=" statepuller.go:247 "
>
> Basically, the agent certificate is configured for the local IP address
> but the server is communicating with the NAT'ed address and therefore
> rejects the certificate because the address does not match.
>
> I have been spending time trying different solutions for the agent to
> use my own SSL key/cert files but I can not seem to get the agent to use
> anything other than the ones it generates on its own. I even tried
> overwriting the key/cert files but they get automatically regenerated.
> When I tried making the files immutable, then the agent wont start at
> all with an error that the SSL key/cert files are not able to be
> regenerated. The only open bug I could find that is somewhat close to
> this issue is https://gitlab.isc.org/isc-projects/stork/-/issues/478
> <https://gitlab.isc.org/isc-projects/stork/-/issues/478> but it is not
> exactly my problem.
>
> Stork agent version: 2.0.1.250218103538
> Stork agent on Ubuntu 24.04 LTS
> Stork agent installed via ISC Cloudsmith repository
>
>
> I've tried specifying configs in the agent.env file like
> "STORK_AGENT_CLIENT_CERT=/path/to/file" and "STORK_AGENT_CLIENT_KEY=/
> path/to/file" but it seems to have no effect after restarting the Stork
> agent. No matter what I have tried the Stork agent always seems to use
> its own generated SSL files.
>
> I have seen the stork-tool command but that appears to just be for the
> Stork server and not the agent.
>
> Is there a way to tell my Stork agent to use my own SSL key/cert files
> instead? Or is there a way to tell my Stork agent to add an extra IP
> address to the "Altnames" field of the certificate it generates?
>
> Thanks!
>
>
>
More information about the Stork-users
mailing list