Sorry I don't have time to go through entire thread here today :( but
what I can tell now is this solution is working, in our testing one of
the nodes configuration is:
{
"Dhcp4": {
"option-data": [],
"hooks-libraries": [
{
"library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so"
},
{
"library": "/usr/local/lib/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [
{
"peers": [
{
"auto-failover": true,
"name": "server1",
"role": "primary",
"url": "https://172.28.0.31:8003/";
},
{
"auto-failover": true,
"name": "server2",
"role": "standby",
"url": "https://172.28.0.32:8003/";
}
],
"state-machine": {
"states": []
},
"mode": "hot-standby",
"heartbeat-delay": 2000,
"max-ack-delay": 1000,
"max-response-delay": 4000,
"max-unacked-clients": 4,
"this-server-name": "server1",
"trust-anchor":
"/usr/local/var/lib/kea/ca_cert.pem",
"cert-file":
"/usr/local/var/lib/kea/server_cert.pem",
"key-file":
"/usr/local/var/lib/kea/server_key.pem",
"require-client-certs": false,
"multi-threading": {
"enable-multi-threading": true,
"http-dedicated-listener": true,
"http-listener-threads": 0,
"http-client-threads": 0
}
}
]
}
}
],
"shared-networks": [],
"subnet4": [
{
"subnet": "192.168.50.0/24",
"pools": [
{
"pool": "192.168.50.1-192.168.50.200"
}
],
"interface": "enp0s9"
}
],
"interfaces-config": {
"interfaces": [
"enp0s9"
]
},
"renew-timer": 1000,
"rebind-timer": 2000,
"valid-lifetime": 4000,
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "/usr/local/var/log/kea.log"
}
],
"severity": "DEBUG",
"debuglevel": 99
}
],
"lease-database": {
"type": "memfile"
}
}
}
hope that will help you in your investigation
Wlodek
On 28/06/2023 13:44, Kraishak Mahtha wrote:
Hi Darren,
I am deploying at my lab currently but, when we get more familiar we
will proceed with production. I tried yes even with 2.3.8 and I am
facing an issue, I thought it could be because of my certificates, and
when I am reading more on this I saw a note in the reference document
that
"A sample set of certificates and associated objects is available at
src/lib/asiolink/testutils/ca".
I have downloaded the source from GIT and from the folder
kea-master\kea-master\src\lib\asiolink\testutils\ca I used the
following certificates as follows
"trust-anchor": "/root/kea-server.crt"
"cert-file": "/root/kea-server.csr"
"key-file": "/root/kea-server.key"
But with this, I am getting the following error
11:33:40.411 DEBUG [kea-dhcp4.hooks/13148.140464316582080]
HOOKS_STD_CALLOUT_REGISTERED hooks library
/opt/tcpwave/lib/kea/hooks/libdhcp_ha.so registered standard callout
for hook leases4_committed at address 0x7fc05b249e70
2023-06-28 11:33:40.413 ERROR
[kea-dhcp4.ha-hooks/13148.140464316582080] HA_CONFIGURATION_FAILED
failed to configure High Availability hooks library: bad TLS config
for server dhcp1: load of cert file '/root/kea-server.csr' failed: no
start line
Thanks
On Wed, Jun 28, 2023 at 3:47 PM Darren Ankney
<[email protected]> wrote:
Hi Kraishak,
When are you deploying? You may want to test with 2.3.8 as the
release of the next stable (2.4.0) is coming soon. As for certificate
use, I am not an expert in that area, but I believe that the .pem
format is most common and correct.
Thank you,
Darren Ankney
On Wed, Jun 28, 2023 at 12:48 AM Kraishak Mahtha
<[email protected]> wrote:
>
> Hi Darren,
> Thank you for the suggestion. I forget to mention, I am using
the kea 2.2.0 version the last stable one (Yes as its the latest
version compared to 2.17 ) we don't need kea-control agents and I
am using HA+MT I don't have dependency on kea-control agent on
any of the peer-servers
>
> I have one more doubt about the certificate type to be used. In
the kea 2.2.0 document, The document says "Objects in files must
be in the PEM format" under section 23.1.2 TLS/HTTPS Configuration.
> And also I checked the examples config in reference documents,
and most of them show with .pem files for all three attributes
> "trust-anchor": /usr/lib/kea/CA.pem,
> "cert-file": /usr/lib/kea/server1_cert.pem,
> "key-file": /usr/lib/kea/server1_key.pem
>
> 1)So my doubt is do all three certificates should be in .pem format?
>
> Asking this because while I am reading about the certificate
content, at one of the places it says "The sample set of the
certificates are available at src/lib/asiolink/testutils/ca kea
source folder and when I see there I don't see .pem files
> I just want to test with that sample certificates to rule out
whether the issue is either with the environment setup or with my
certificates.
>
> Thanks
>
> On Wed, Jun 28, 2023 at 2:10 AM Darren Ankney
<[email protected]> wrote:
>>
>> Hi Kraishak,
>>
>> In the latest 2.3.8 ARM, the full quote is:
>>
>> "Before Kea 2.1.7 using HTTPS in the HA setup required use of the
>> Control Agent on all peers."
>>
>> followed by:
>>
>> "Since Kea 2.1.7 the HTTPS server side is supported:"
>>
>> see
https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support
>> for full details.
>>
>> On Tue, Jun 27, 2023 at 12:26 PM Kraishak Mahtha
<[email protected]> wrote:
>> >
>> > Hi, I am using the kea-failover peer with Muti threading
enabled HA+MT so hence I am not using the control -agent and using
it directly, and everything is working fine as expected.
>> > Here now I am trying to use TLS with certificates configured
but it does not seems to work as expected, When I was reading more
on the certificates section I see a line saying "using HTTPS in
the HA setup required use of the Control Agent on all peers", so
just to rule out my issue with certificates, do we need to
use/configure Control agent on all peer for TLS even after
enabling multi-threading?
>> >
>> > Thanks in Advance
>> > Kraishak
>> >
>> > --
>> > ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
>> >
>> > To unsubscribe visit
https://lists.isc.org/mailman/listinfo/kea-users.
>> >
>> > Kea-users mailing list
>> > [email protected]
>> > https://lists.isc.org/mailman/listinfo/kea-users
>> --
>> ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
>>
>> To unsubscribe visit
https://lists.isc.org/mailman/listinfo/kea-users.
>>
>> Kea-users mailing list
>> [email protected]
>> https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/kea-users
