Hi Jason, The stork server <-> stork agent connection is already encrypted. Stork does this by default (using self-signed certs created by the Stork server). The kea-ctrl-agent only needs to listen on 127.0.0.1 for the stork agent connection, so no ssl necessary there as it is all localhost (unless you are concerned about local user eavesdropping). The HA communication may need ssl. This should have nothing to do with Stork, however. See here: https://kea.readthedocs.io/en/latest/arm/hooks.html#https-support and here: https://kea.readthedocs.io/en/latest/arm/hooks.html#multi-threaded-configuration-ha-mt
Thank you, Darren Ankney On Mon, Jun 2, 2025 at 6:17 PM Jason Bailey via Kea-users <kea-users@lists.isc.org> wrote: > > I'm trying to turn up four Kea DHCP servers (version 2.4.1 via official > Kea packages) in dual active/passive HA pairs (servers 1 and 2 in one > pair and servers 3 and 4 in a second pair). I'm also trying to get all 4 > to communicate with a Stork server. HA communication between pairs as > well as communication between Stork and the DHCP servers all work as > expected if I opt to use HTTP without SSL/TLS. However, when I try to > incorporate encryption into the mix, nothing works because the > self-signed certificates I'm using do not seem to pass validation -- Kea > and Stork refuse to accept any remote connection tied to these certs. > > I spent several days trying to get it to work and ended up trying to > proxy the HTTP connections over SSH tunnels so there would at least be > some encryption at play, but Stork is rejecting the connections because > it is assuming they're all HTTPS (that is how I'm interpreting the log > output, anyway). The URI I'm passing to the stork agent is http://, not > https://. > > A purely HTTPS configuration would certainly be easier to manage than > SSH tunnels. The docs don't seem to go into great detail as to how these > certificates need to be created. It matters to me because I'm trying to > build a state for SaltStack/SaltProject that does all of the work > setting everything up (software installation and configuration files to > the including the creation of the certs). > > Is there a more detailed guide on how these certs need to be created? > Perhaps some openssl commands with explanations of what does the > commands are doing? I'm not a openssl master by any stretch. > > Best, > > Jason > > *Confidentiality Notice* This email message may contain legally privileged > and/or confidential information. If you are not the intended recipient(s), > you are hereby notified that any dissemination, distribution or copying of > this email message is strictly prohibited. If you have received this email in > error, please immediately notify the sender and delete this email message > from your computer. > -- > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
