Hi all,

I'm trying to turn up a new Kea cluster in hot standby mode (with Stork) and 
everything is working as expected EXCEPT TLS support. I can't get TLS working 
to Stork and I can't get TLS working between HA nodes. Log output doesn't give 
me much.


I was attempting to use a pre-existing certificate, but it doesn't appear to be 
working. It's a wildcard and I was attempting to use it for both primary and 
standby servers. I assume the URI in the config (for the control agent or the 
Kea HA config) should read "https" instead of "http" -- and would be port 443 
instead of 8000 or 8080, correct? Or is forcing TLS over 8000 or 8080 the 
better way to go?


I've also tried using a reverse proxy through Apache (again, using the wildcard 
certificates) and couldn't get it to work. Throughout the entire exercise, 
Stork would show HA status as "unavailable" (primary) or "failed" (secondary). 
I've also played with disabling client certificate verification/validation.


I've not yet tried setting up a custom CA with custom certificates for each 
server. I'd like to verify I'm not missing any fundamentals before I attempt 
this, but not wholly against trying. I've read through as many docs as I could 
find, but it appears I'm missing something.


Are there some practical recommendations or best practice guides for TLS setup 
outside the Kea ARM?


Best,

Jason

*Confidentiality Notice* This email message may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), you 
are hereby notified that any dissemination, distribution or copying of this 
email message is strictly prohibited. If you have received this email in error, 
please immediately notify the sender and delete this email message from your 
computer.
-- 
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users

Reply via email to