Darren, That's actually really helpful! I suppose I could have run tcpdump and grabbed some data to look at but I did not.
I'll rework my configuration and see how it goes. Thank you for the insight. Jason On 6/4/25 10:29 AM, Darren Ankney wrote: Hi Jason, The stork server <-> stork agent connection is already encrypted. Stork does this by default (using self-signed certs created by the Stork server). The kea-ctrl-agent only needs to listen on 127.0.0.1 for the stork agent connection, so no ssl necessary there as it is all localhost (unless you are concerned about local user eavesdropping). The HA communication may need ssl. This should have nothing to do with Stork, however. See here: https://kea.readthedocs.io/en/latest/arm/hooks.html#https-support and here: https://kea.readthedocs.io/en/latest/arm/hooks.html#multi-threaded-configuration-ha-mt Thank you, Darren Ankney On Mon, Jun 2, 2025 at 6:17 PM Jason Bailey via Kea-users <kea-users@lists.isc.org><mailto:kea-users@lists.isc.org> wrote: I'm trying to turn up four Kea DHCP servers (version 2.4.1 via official Kea packages) in dual active/passive HA pairs (servers 1 and 2 in one pair and servers 3 and 4 in a second pair). I'm also trying to get all 4 to communicate with a Stork server. HA communication between pairs as well as communication between Stork and the DHCP servers all work as expected if I opt to use HTTP without SSL/TLS. However, when I try to incorporate encryption into the mix, nothing works because the self-signed certificates I'm using do not seem to pass validation -- Kea and Stork refuse to accept any remote connection tied to these certs. I spent several days trying to get it to work and ended up trying to proxy the HTTP connections over SSH tunnels so there would at least be some encryption at play, but Stork is rejecting the connections because it is assuming they're all HTTPS (that is how I'm interpreting the log output, anyway). The URI I'm passing to the stork agent is http://, not https://. A purely HTTPS configuration would certainly be easier to manage than SSH tunnels. The docs don't seem to go into great detail as to how these certificates need to be created. It matters to me because I'm trying to build a state for SaltStack/SaltProject that does all of the work setting everything up (software installation and configuration files to the including the creation of the certs). Is there a more detailed guide on how these certs need to be created? Perhaps some openssl commands with explanations of what does the commands are doing? I'm not a openssl master by any stretch. Best, Jason *Confidentiality Notice* This email message may contain legally privileged and/or confidential information. If you are not the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this email message is strictly prohibited. If you have received this email in error, please immediately notify the sender and delete this email message from your computer. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org<mailto:Kea-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/kea-users
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
