Hi Jason, I am, by no means, an expert on TLS, but I will try to help. I think you should try to get one thing working at a time. First, perhaps, try to secure the HA partner communication. After you have that working, only then try to secure the Stork communication. The two things are unrelated and changing too much at once is a recipe for disaster.
I don't think the HA communication will care what port you use for TLS. It might not be possible to use a wildcard cert you obtained from a browser, however, as all of the information needed to verify the cert may not be available (your browser has built in trusted certs to create a chain of trust that Kea won't have, I think). It is best to use a self-signed cert, at least to start with, to understand the process. You can create a self-signed cert with open-ssl. Thank you, Darren Ankney On Mon, Nov 11, 2024 at 3:44 PM Jason Bailey via Kea-users <kea-users@lists.isc.org> wrote: > > Hi all, > > > I'm trying to turn up a new Kea cluster in hot standby mode (with Stork) and > everything is working as expected EXCEPT TLS support. I can't get TLS working > to Stork and I can't get TLS working between HA nodes. Log output doesn't > give me much. > > > I was attempting to use a pre-existing certificate, but it doesn't appear to > be working. It's a wildcard and I was attempting to use it for both primary > and standby servers. I assume the URI in the config (for the control agent or > the Kea HA config) should read "https" instead of "http" -- and would be port > 443 instead of 8000 or 8080, correct? Or is forcing TLS over 8000 or 8080 the > better way to go? > > > I've also tried using a reverse proxy through Apache (again, using the > wildcard certificates) and couldn't get it to work. Throughout the entire > exercise, Stork would show HA status as "unavailable" (primary) or "failed" > (secondary). I've also played with disabling client certificate > verification/validation. > > > I've not yet tried setting up a custom CA with custom certificates for each > server. I'd like to verify I'm not missing any fundamentals before I attempt > this, but not wholly against trying. I've read through as many docs as I > could find, but it appears I'm missing something. > > > Are there some practical recommendations or best practice guides for TLS > setup outside the Kea ARM? > > > Best, > > > Jason > > *Confidentiality Notice* This email message may contain legally privileged > and/or confidential information. If you are not the intended recipient(s), > you are hereby notified that any dissemination, distribution or copying of > this email message is strictly prohibited. If you have received this email in > error, please immediately notify the sender and delete this email message > from your computer. > -- > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users