Hi Jason,

I am, by no means, an expert on TLS, but I will try to help.  I think
you should try to get one thing working at a time.  First, perhaps,
try to secure the HA partner communication.  After you have that
working, only then try to secure the Stork communication.   The two
things are unrelated and changing too much at once is a recipe for
disaster.

I don't think the HA communication will care what port you use for
TLS.  It might not be possible to use a wildcard cert you obtained
from a browser, however, as all of the information needed to verify
the cert may not be available (your browser has built in trusted certs
to create a chain of trust that Kea won't have, I think).  It is best
to use a self-signed cert, at least to start with, to understand the
process.  You can create a self-signed cert with open-ssl.

Thank you,
Darren Ankney

On Mon, Nov 11, 2024 at 3:44 PM Jason Bailey via Kea-users
<kea-users@lists.isc.org> wrote:
>
> Hi all,
>
>
> I'm trying to turn up a new Kea cluster in hot standby mode (with Stork) and 
> everything is working as expected EXCEPT TLS support. I can't get TLS working 
> to Stork and I can't get TLS working between HA nodes. Log output doesn't 
> give me much.
>
>
> I was attempting to use a pre-existing certificate, but it doesn't appear to 
> be working. It's a wildcard and I was attempting to use it for both primary 
> and standby servers. I assume the URI in the config (for the control agent or 
> the Kea HA config) should read "https" instead of "http" -- and would be port 
> 443 instead of 8000 or 8080, correct? Or is forcing TLS over 8000 or 8080 the 
> better way to go?
>
>
> I've also tried using a reverse proxy through Apache (again, using the 
> wildcard certificates) and couldn't get it to work. Throughout the entire 
> exercise, Stork would show HA status as "unavailable" (primary) or "failed" 
> (secondary). I've also played with disabling client certificate 
> verification/validation.
>
>
> I've not yet tried setting up a custom CA with custom certificates for each 
> server. I'd like to verify I'm not missing any fundamentals before I attempt 
> this, but not wholly against trying. I've read through as many docs as I 
> could find, but it appears I'm missing something.
>
>
> Are there some practical recommendations or best practice guides for TLS 
> setup outside the Kea ARM?
>
>
> Best,
>
>
> Jason
>
> *Confidentiality Notice* This email message may contain legally privileged 
> and/or confidential information. If you are not the intended recipient(s), 
> you are hereby notified that any dissemination, distribution or copying of 
> this email message is strictly prohibited. If you have received this email in 
> error, please immediately notify the sender and delete this email message 
> from your computer.
> --
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
-- 
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users

Reply via email to