Hi Kraishak, As what user are you running Kea? Perhaps it cannot open the cert files located in `/root/`? If you installed from ISC provided packages, default user is _kea (if started from systemd).
Thank you, Darren Ankney On Wed, Jun 28, 2023 at 7:44 AM Kraishak Mahtha <kraishak....@gmail.com> wrote: > > Hi Darren, > > I am deploying at my lab currently but, when we get more familiar we will > proceed with production. I tried yes even with 2.3.8 and I am facing an > issue, I thought it could be because of my certificates, and when I am > reading more on this I saw a note in the reference document that > "A sample set of certificates and associated objects is available at > src/lib/asiolink/testutils/ca". > I have downloaded the source from GIT and from the folder > kea-master\kea-master\src\lib\asiolink\testutils\ca I used the following > certificates as follows > "trust-anchor": "/root/kea-server.crt" > "cert-file": "/root/kea-server.csr" > "key-file": "/root/kea-server.key" > > But with this, I am getting the following error > 11:33:40.411 DEBUG [kea-dhcp4.hooks/13148.140464316582080] > HOOKS_STD_CALLOUT_REGISTERED hooks library > /opt/tcpwave/lib/kea/hooks/libdhcp_ha.so registered standard callout for hook > leases4_committed at address 0x7fc05b249e70 > 2023-06-28 11:33:40.413 ERROR [kea-dhcp4.ha-hooks/13148.140464316582080] > HA_CONFIGURATION_FAILED failed to configure High Availability hooks library: > bad TLS config for server dhcp1: load of cert file '/root/kea-server.csr' > failed: no start line > > > Thanks > > On Wed, Jun 28, 2023 at 3:47 PM Darren Ankney <darren.ank...@gmail.com> wrote: >> >> Hi Kraishak, >> >> When are you deploying? You may want to test with 2.3.8 as the >> release of the next stable (2.4.0) is coming soon. As for certificate >> use, I am not an expert in that area, but I believe that the .pem >> format is most common and correct. >> >> Thank you, >> >> Darren Ankney >> >> On Wed, Jun 28, 2023 at 12:48 AM Kraishak Mahtha <kraishak....@gmail.com> >> wrote: >> > >> > Hi Darren, >> > Thank you for the suggestion. I forget to mention, I am using the kea >> > 2.2.0 version the last stable one (Yes as its the latest version compared >> > to 2.17 ) we don't need kea-control agents and I am using HA+MT I don't >> > have dependency on kea-control agent on any of the peer-servers >> > >> > I have one more doubt about the certificate type to be used. In the kea >> > 2.2.0 document, The document says "Objects in files must be in the PEM >> > format" under section 23.1.2 TLS/HTTPS Configuration. >> > And also I checked the examples config in reference documents, and most of >> > them show with .pem files for all three attributes >> > "trust-anchor": /usr/lib/kea/CA.pem, >> > "cert-file": /usr/lib/kea/server1_cert.pem, >> > "key-file": /usr/lib/kea/server1_key.pem >> > >> > 1)So my doubt is do all three certificates should be in .pem format? >> > >> > Asking this because while I am reading about the certificate content, at >> > one of the places it says "The sample set of the certificates are >> > available at src/lib/asiolink/testutils/ca kea source folder and when I >> > see there I don't see .pem files >> > I just want to test with that sample certificates to rule out whether the >> > issue is either with the environment setup or with my certificates. >> > >> > Thanks >> > >> > On Wed, Jun 28, 2023 at 2:10 AM Darren Ankney <darren.ank...@gmail.com> >> > wrote: >> >> >> >> Hi Kraishak, >> >> >> >> In the latest 2.3.8 ARM, the full quote is: >> >> >> >> "Before Kea 2.1.7 using HTTPS in the HA setup required use of the >> >> Control Agent on all peers." >> >> >> >> followed by: >> >> >> >> "Since Kea 2.1.7 the HTTPS server side is supported:" >> >> >> >> see https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support >> >> for full details. >> >> >> >> On Tue, Jun 27, 2023 at 12:26 PM Kraishak Mahtha <kraishak....@gmail.com> >> >> wrote: >> >> > >> >> > Hi, I am using the kea-failover peer with Muti threading enabled HA+MT >> >> > so hence I am not using the control -agent and using it directly, and >> >> > everything is working fine as expected. >> >> > Here now I am trying to use TLS with certificates configured but it >> >> > does not seems to work as expected, When I was reading more on the >> >> > certificates section I see a line saying "using HTTPS in the HA setup >> >> > required use of the Control Agent on all peers", so just to rule out my >> >> > issue with certificates, do we need to use/configure Control agent on >> >> > all peer for TLS even after enabling multi-threading? >> >> > >> >> > Thanks in Advance >> >> > Kraishak >> >> > >> >> > -- >> >> > ISC funds the development of this software with paid support >> >> > subscriptions. Contact us at https://www.isc.org/contact/ for more >> >> > information. >> >> > >> >> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. >> >> > >> >> > Kea-users mailing list >> >> > Kea-users@lists.isc.org >> >> > https://lists.isc.org/mailman/listinfo/kea-users >> >> -- >> >> ISC funds the development of this software with paid support >> >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> >> information. >> >> >> >> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. >> >> >> >> Kea-users mailing list >> >> Kea-users@lists.isc.org >> >> https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users