Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost

[Stefan G. Weichinger]

Am 30.06.23 um 12:16 schrieb Stefan G. Weichinger:

After some more restarting and re-registering currently stork looks good.

I assume currently the stork-agents talk to the kea-ctrl-agents 
unencrypted ... I am not 100% sure yet.

Tested flipping this:

kea-ctrl-agent.conf:"cert-required": false

to true

When doing this, the stork-agent has issues trusting the cert:

Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30" 
level="error" msg="Problem fetching stats from Kea: Post 
\"https://10.0.0.231:8000/\": remote error: tls: unknown certificate 
authority\nproblem sending POST to 
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem 
getting stats from 
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594" 
file="  promkeaexporter.go:841  "
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30" 
level="error" msg="Some errors were encountered while collecting stats 
from Kea: Post \"https://10.0.0.231:8000/\": remote error: tls: unknown 
certificate authority\nproblem sending POST to 
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem 
getting stats from 
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594" 
file="  promkeaexporter.go:712  "
Jun 30 13:07:34 adc1 kea-ctrl-agent[759731]: INFO 
HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 10.0.0.231 failed 
with certificate verify failed


And this while the agent.env has:

STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true

So I have to figure out how to make the stork-agent trust that cert.

Do I have to modify /var/lib/stork-agent/certs/ca.pem?

As far as I understand the files there are generated while registering 
the stork-agent.

thanks for any help, I think I am close to getting this right

--
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users