Hi Kraishak,

As what user are you running Kea?  Perhaps it cannot open the cert
files located in `/root/`?  If you installed from ISC provided
packages, default user is _kea (if started from systemd).

Thank you,

Darren Ankney

On Wed, Jun 28, 2023 at 7:44 AM Kraishak Mahtha <kraishak....@gmail.com> wrote:
>
> Hi Darren,
>
> I am deploying at my lab currently but, when we get more familiar we will 
> proceed with production.  I tried yes even with 2.3.8 and I am facing an 
> issue, I thought it could be because of my certificates, and when I am 
> reading more on this I saw a note in the reference document that
> "A sample set of certificates and associated objects is available at 
> src/lib/asiolink/testutils/ca".
> I have downloaded the source from GIT and from the folder 
> kea-master\kea-master\src\lib\asiolink\testutils\ca I used the following 
> certificates as follows
>   "trust-anchor": "/root/kea-server.crt"
>  "cert-file": "/root/kea-server.csr"
>  "key-file": "/root/kea-server.key"
>
> But with this, I am getting the following error
> 11:33:40.411 DEBUG [kea-dhcp4.hooks/13148.140464316582080] 
> HOOKS_STD_CALLOUT_REGISTERED hooks library 
> /opt/tcpwave/lib/kea/hooks/libdhcp_ha.so registered standard callout for hook 
> leases4_committed at address 0x7fc05b249e70
> 2023-06-28 11:33:40.413 ERROR [kea-dhcp4.ha-hooks/13148.140464316582080] 
> HA_CONFIGURATION_FAILED failed to configure High Availability hooks library: 
> bad TLS config for server dhcp1: load of cert file '/root/kea-server.csr' 
> failed: no start line
>
>
> Thanks
>
> On Wed, Jun 28, 2023 at 3:47 PM Darren Ankney <darren.ank...@gmail.com> wrote:
>>
>> Hi Kraishak,
>>
>> When are you deploying?  You may want to test with 2.3.8 as the
>> release of the next stable (2.4.0) is coming soon.  As for certificate
>> use, I am not an expert in that area, but I believe that the .pem
>> format is most common and correct.
>>
>> Thank you,
>>
>> Darren Ankney
>>
>> On Wed, Jun 28, 2023 at 12:48 AM Kraishak Mahtha <kraishak....@gmail.com> 
>> wrote:
>> >
>> > Hi Darren,
>> > Thank you for the suggestion. I forget to mention, I am using the kea 
>> > 2.2.0 version the last stable one (Yes as its the latest version compared 
>> > to 2.17 ) we don't need kea-control agents and I am using HA+MT I don't 
>> > have dependency  on kea-control agent on any of the peer-servers
>> >
>> > I have one more doubt about the certificate type to be used. In the kea 
>> > 2.2.0 document, The document says  "Objects in files must be in the PEM 
>> > format" under section 23.1.2 TLS/HTTPS Configuration.
>> > And also I checked the examples config in reference documents, and most of 
>> > them show with .pem files for all three attributes
>> >   "trust-anchor": /usr/lib/kea/CA.pem,
>> > "cert-file": /usr/lib/kea/server1_cert.pem,
>> > "key-file": /usr/lib/kea/server1_key.pem
>> >
>> > 1)So my doubt is do all three certificates should be in .pem format?
>> >
>> > Asking this because while I am reading about the certificate content, at 
>> > one of the places it says "The sample set of the certificates are 
>> > available at src/lib/asiolink/testutils/ca kea source folder and when I 
>> > see there  I don't see .pem files
>> > I just want to test with that sample certificates to rule out whether the 
>> > issue is either with the environment setup or with my certificates.
>> >
>> > Thanks
>> >
>> > On Wed, Jun 28, 2023 at 2:10 AM Darren Ankney <darren.ank...@gmail.com> 
>> > wrote:
>> >>
>> >> Hi Kraishak,
>> >>
>> >> In the latest 2.3.8 ARM, the full quote is:
>> >>
>> >> "Before Kea 2.1.7 using HTTPS in the HA setup required use of the
>> >> Control Agent on all peers."
>> >>
>> >> followed by:
>> >>
>> >> "Since Kea 2.1.7 the HTTPS server side is supported:"
>> >>
>> >> see https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support
>> >> for full details.
>> >>
>> >> On Tue, Jun 27, 2023 at 12:26 PM Kraishak Mahtha <kraishak....@gmail.com> 
>> >> wrote:
>> >> >
>> >> > Hi, I am using the kea-failover peer with Muti threading enabled HA+MT 
>> >> > so hence I am not using the control -agent and using it directly, and 
>> >> > everything is working fine as expected.
>> >> > Here now I am trying to use TLS with certificates configured but it 
>> >> > does not seems to work as expected, When I was reading more on the 
>> >> > certificates section I see a line saying "using HTTPS in the HA setup 
>> >> > required use of the Control Agent on all peers", so just to rule out my 
>> >> > issue with certificates, do we need to use/configure Control agent on 
>> >> > all peer for TLS even after enabling multi-threading?
>> >> >
>> >> > Thanks in Advance
>> >> > Kraishak
>> >> >
>> >> > --
>> >> > ISC funds the development of this software with paid support 
>> >> > subscriptions. Contact us at https://www.isc.org/contact/ for more 
>> >> > information.
>> >> >
>> >> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>> >> >
>> >> > Kea-users mailing list
>> >> > Kea-users@lists.isc.org
>> >> > https://lists.isc.org/mailman/listinfo/kea-users
>> >> --
>> >> ISC funds the development of this software with paid support 
>> >> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>> >> information.
>> >>
>> >> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>> >>
>> >> Kea-users mailing list
>> >> Kea-users@lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/kea-users
-- 
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users

Reply via email to