Stefan,
I've been down this road and the short answer is to not bother trying to use
the various options to skip certificate verification. Those settings don't do
what you (I) think they do, and it's easier to just make the certs work.
When you generate the certificates under your CA, add the IP address of each
server as an IP SAN. For example, given a key, CA, and CSR, this is how I make
a certificate:
HOSTNAME='1.2.3.4'
openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt -CAkey
cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN -extfile
<(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}")
In my case, I only care to make the certificate work for IP address, so you'll
need to adjust the various options (obviously). When you're done, use the
-print option to openssl on ${HOSTNAME}.crt to double check that the SAN is
added.
Then, double-double check that the CA is imported on both Kea servers, the
Stork server, and since you mentioned Docker - also inside any containerized
version of the aforementioned.
Again, I don't change any of the verification settings, nor any of the
certificates except the ones that I created for Kea to use. Hope this helps.
Eric Graham
DevOps Specialist
Direct: 605.990.1859
[email protected]<mailto:[email protected]>
[cid:5d14fe52-b13e-4292-9ba3-9e7c1ad07c1c]
________________________________
From: Kea-users <[email protected]> on behalf of Stefan G.
Weichinger <[email protected]>
Sent: Friday, June 30, 2023 6:13 AM
To: [email protected] <[email protected]>
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork
and dhcp4 gets lost
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Am 30.06.23 um 12:16 schrieb Stefan G. Weichinger:
>
> After some more restarting and re-registering currently stork looks good.
>
> I assume currently the stork-agents talk to the kea-ctrl-agents
> unencrypted ... I am not 100% sure yet.
Tested flipping this:
kea-ctrl-agent.conf:"cert-required": false
to true
When doing this, the stork-agent has issues trusting the cert:
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"
level="error" msg="Problem fetching stats from Kea: Post
\"https://10.0.0.231:8000/\": remote error: tls: unknown certificate
authority\nproblem sending POST to
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem
getting stats from
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"
file=" promkeaexporter.go:841 "
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"
level="error" msg="Some errors were encountered while collecting stats
from Kea: Post \"https://10.0.0.231:8000/\": remote error: tls: unknown
certificate authority\nproblem sending POST to
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem
getting stats from
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"
file=" promkeaexporter.go:712 "
Jun 30 13:07:34 adc1 kea-ctrl-agent[759731]: INFO
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 10.0.0.231 failed
with certificate verify failed
And this while the agent.env has:
STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true
So I have to figure out how to make the stork-agent trust that cert.
Do I have to modify /var/lib/stork-agent/certs/ca.pem?
As far as I understand the files there are generated while registering
the stork-agent.
thanks for any help, I think I am close to getting this right
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/kea-users
