Stefan, Make sure that when you change the password, you also change it in Stork and in the HA hook config on each daemon of each server.
I am not aware of documentation from ISC for generating certificates, but here is an article I found that should get you started: https://node-security.com/posts/openssl-creating-a-ca/ You will want to make a CA in this case, and not just self-signed certificates. Make sure if you make the certificates for IP and not hostname, that you add the IP to the SAN field of the certificates. Here's an article from Red Hat about trusting the CA on each host: https://www.redhat.com/sysadmin/ca-certificates-cli Even if you're not in Red Hat-land, it'll get you started. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:2e6a83d9-9c45-41bc-86d4-fdd91ce6a9f1] ________________________________ From: Stefan G. Weichinger <li...@xunil.at> Sent: Tuesday, June 27, 2023 2:57 AM To: Eric Graham <eric.gra...@vantagepnt.com>; kea-users@lists.isc.org <kea-users@lists.isc.org> Cc: Darren Ankney <darren.ank...@gmail.com> Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 23.06.23 um 17:34 schrieb Eric Graham: > Stefan, > > Please be aware that you posted a password in your control agent config. > I strongly recommend replacing it. > > You may prefer to put the socket in /var. Cleaning of /tmp is > distro-dependent behavior. You'll need to make that change (to the > socket path) in the control agent and DHCP configs on both servers. > Stork will pick up the change automatically (without any config > changes), but the agent may need a restart, as well as all Kea services. Changed the socket path, we'll see if that improves stability. Changing the password didn't work yet, I had to roll back. I'll try that again later. I have basic-auth in place, but no TLS enabled yet. This might be the time to add this also, although the 2 machines run in a rather protected environment. It's just better, and state of the art, to use TLS ... Any pointers to the kea-docs how to generate working certs? I assume they could be rather dummy style ... thanks, regards, Stefan
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
