Thanks Rick and Darren, > Is the CA listening on localhost (127.0.0.1 or ::1 if IPv6) and port 8000? Yes. Apologies, I may be remiss in that I tried to oversimplify things in how I stated my question by having one server connect to its own CA through local but the result is likewise when either server tried to connect to each other matching the ip address and port defined in conf.
> if you configure your CA to use TLS, you will also need to specify —ca arg to kea-shell Thank you for your broad memory! Yes, this is at least where things are partially wrong. This error I noted in micetro as well "wrong version number" $ sudo kea-shell --host x.x.x.x --port 8000 --auth-user kea_user --auth-password "badpassword" --ca /Certificate_Autority.pem Failed to run: <urlopen error [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1007)> and the following logs: 2024-01-09 21:11:13.379 INFO [kea-ctrl-agent.http/7866] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with x.x.x.x failed with http request 2024-01-09 21:11:35.947 INFO [kea-ctrl-agent.http/7866] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with x.x.x.x failed with http request 2024-01-09 21:18:40.074 INFO [kea-ctrl-agent.http/7866] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with x.x.x.x failed with sslv3 alert bad certificate 2024-01-09 21:19:13.815 INFO [kea-ctrl-agent.http/7866] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with (unknown address) failed with tlsv1 alert unknown ca 2024-01-09 21:20:13.606 INFO [kea-ctrl-agent.http/7866] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with (unknown address) failed with sslv3 alert bad certificate I assume this is why with Darren's advice working with the socket is fine but curl nets me "Empty reply from server" I am using a basic self signed cert with its own root Authority. I thought this might be outside yalls scope and I've been working with open ssl to make something that seems to be working great with the openssl miniserver and is working well enough that the TLS on the heartbeats kea seem to be fine. Not certain I understand SSL well enough to see why my certs would be TSLv1, but I am using the following script to quickly generate the certs. Anyone know openssl well enough to see if this is wrong somehow? #!/usr/bin/env bash # ca_for_kea.sh cafile=Certificate_Authority caname=RootCA basedn="/O=org.org" mybase="keacrt" create_ca() { # create CA certificate with 4096bit rsa key, 1826 days = 5 years local args_create_ca=( -passout pass:Y5LGYJgFBSZZ75 -newkey rsa:4096 -aes256 -keyout "$mybase/$cafile.key" -x509 -new -sha256 -days 1826 -subj "$basedn/CN=$caname" -addext "keyUsage=critical,keyCertSign" -addext "basicConstraints=critical,CA:true,pathlen:0" -out "$mybase/$cafile.pem" ) openssl req "${args_create_ca[@]}" } create_endpoint() { # create certificate for service local mycertbase="$1" mykeyfile="$2" mycert="$3" myalts="$4" local args_create_endpoint=( -out "$mybase/${mycertbase}.csr" -keyout "$mybase/$mykeyfile" -subj "$basedn/CN=$mycert" -addext "subjectAltName=$myalts" -addext "subjectKeyIdentifier=hash" -addext "keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment" -addext "extendedKeyUsage=serverAuth,clientAuth" -addext "basicConstraints=CA:FALSE" -nodes -newkey rsa:2048 ) openssl req "${args_create_endpoint[@]}" } sign_endpoint() { local certbase="$1" local args_sign_endpoint=( -req -passin pass:Y5LGYJgFBSZZ75 -CA "$mybase/$cafile.pem" -CAkey "$mybase/$cafile.key" -in "$mybase/$certbase.csr" -out "$mybase/$certbase.pem" -CAcreateserial -days 730 -sha256 -copy_extensions copyall ) openssl x509 "${args_sign_endpoint[@]}" } # main mkdir -p "$mybase" create_ca myserver=kea1.org.org create_endpoint ca1_cert ca1_key.pem "$myserver" "DNS:$myserver,IP:x.x.x.1" sign_endpoint ca1_cert rm "$mybase/ca1_cert.csr" dhcp1_cert=dhcp1_cert create_endpoint "$dhcp1_cert" dhcp1_key.pem "$myserver" "DNS:$myserver,IP:x.x.x.1" sign_endpoint "$dhcp1_cert" rm "$mybase/$dhcp1_cert.csr" myserver=kea2.org.org create_endpoint ca2_cert ca2_key.pem "$myserver" "DNS:$myserver,IP:x.x.x.2" sign_endpoint ca2_cert rm "$mybase/ca2_cert.csr" dhcp2_cert=dhcp2_cert create_endpoint "$dhcp2_cert" dhcp2_key.pem "$myserver" "DNS:$myserver,IP:x.x.x.2" sign_endpoint "$dhcp2_cert" rm "$mybase/$dhcp2_cert.csr" CS, cs.temp.m...@gmail.com On Tue, 9 Jan 2024 at 02:55, Darren Ankney <darren.ank...@gmail.com> wrote: > Hi, > > You may also want to start at the Kea server and work backwards. You > can talk directly to the Kea server as described here: > > https://kea.readthedocs.io/en/kea-2.4.1/arm/ctrl-channel.html#using-the-control-channel > by doing something like: > > echo '{"command": "config-get"}' | sudo socat > UNIX:/path/to/the/kea/socket -,ignoreeof | jq > > The "jq" portion is optional but nicely formats the json result. > > "/path/to/the/kea/socket" would be the socket as specified in your > dhcp4 configuration file. > > If that works, then you can try sending the same thing to the control > agent using curl. Something like this: > > curl -X POST -H "Content-Type: application/json" -d '{ "command": > "config-get", "service": [ "dhcp4" ] }' http://ca.example.org:8000/ > > replace "http://ca.example.org:8000/" with the correct url (e.g., > https://127.0.0.1:8000/). You may need to consult the curl > documentation if using ssl. > > curl might give a more descriptive error message. > > Thank you, > > Darren Ankney > > On Mon, Jan 8, 2024 at 11:00 PM Rick Frey <grib...@gmail.com> wrote: > > > > Connection refused would indicate that kea-shell is unable to connect to > specified address and port. First step would be to verify the CA is > listening on the address and port you are specifying as args to kea-shell. > Is the CA listening on localhost (127.0.0.1 or ::1 if IPv6) and port 8000? > > In an earlier thread around CA connectivity issues, your redacted config > for the CA indicated you were specifying an address using directive > http-address. See Kea Docs ( > https://kea.readthedocs.io/en/kea-2.4.1/arm/agent.html#configuration for > info on CA http-address and http-port. If you are specifying http-address > and/or http-port for CA, the kea-shell args for —host and —port must match. > > > > Note that if you configure your CA to use TLS, you will also need to > specify —ca arg to kea-shell (see > https://kea.readthedocs.io/en/kea-2.4.1/arm/shell.html#tls-support ). I > don’t believe there is means to ignore a cert hostname mismatch for > kea-shell (would require using a cert that contains an SAN that matches the > hostname or IP adddress used for —host arg). Mainly mentioning since your > earlier threads indicated you may be using TLS for CA as well. > > > > > > On Jan 8, 2024, at 2:30 PM, CS <cs.temp.m...@gmail.com> wrote: > > > > Still trying to get my deployment to play nice with micetro. Everything > it up and working as far as I know. Good status on the CA and DHCP4 daemons > and logging heartbeats between my HA servers leads me to believe so. > > But trying to touch the kea control agent > > > > sudo kea-shell --host localhost --port 8000 --auth-user keauser > --auth-password "bad password" --service dhcp4 list-commands > > > > <ctrl+d> > > > > Failed to run: <urlopen error [Errno 111] Connection refused> > > > > > > makes me think otherwise. Nothing gets logged to the CA or DHCP4 verbose > logs either. Just refuses the connection... am I missing something simple? > > > > CS, cs.temp.m...@gmail.com > > -- > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > > > Kea-users mailing list > > Kea-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/kea-users > > > > > > -- > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > > > Kea-users mailing list > > Kea-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/kea-users > -- > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users >
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users