Stefan, I've been down this road and the short answer is to not bother trying to use the various options to skip certificate verification. Those settings don't do what you (I) think they do, and it's easier to just make the certs work.
When you generate the certificates under your CA, add the IP address of each server as an IP SAN. For example, given a key, CA, and CSR, this is how I make a certificate: HOSTNAME='1.2.3.4' openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt -CAkey cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN -extfile <(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}") In my case, I only care to make the certificate work for IP address, so you'll need to adjust the various options (obviously). When you're done, use the -print option to openssl on ${HOSTNAME}.crt to double check that the SAN is added. Then, double-double check that the CA is imported on both Kea servers, the Stork server, and since you mentioned Docker - also inside any containerized version of the aforementioned. Again, I don't change any of the verification settings, nor any of the certificates except the ones that I created for Kea to use. Hope this helps. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:5d14fe52-b13e-4292-9ba3-9e7c1ad07c1c] ________________________________ From: Kea-users <kea-users-boun...@lists.isc.org> on behalf of Stefan G. Weichinger <li...@xunil.at> Sent: Friday, June 30, 2023 6:13 AM To: kea-users@lists.isc.org <kea-users@lists.isc.org> Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 30.06.23 um 12:16 schrieb Stefan G. Weichinger: > > After some more restarting and re-registering currently stork looks good. > > I assume currently the stork-agents talk to the kea-ctrl-agents > unencrypted ... I am not 100% sure yet. Tested flipping this: kea-ctrl-agent.conf:"cert-required": false to true When doing this, the stork-agent has issues trusting the cert: Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30" level="error" msg="Problem fetching stats from Kea: Post \"https://10.0.0.231:8000/\": remote error: tls: unknown certificate authority\nproblem sending POST to https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem getting stats from Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594" file=" promkeaexporter.go:841 " Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30" level="error" msg="Some errors were encountered while collecting stats from Kea: Post \"https://10.0.0.231:8000/\": remote error: tls: unknown certificate authority\nproblem sending POST to https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem getting stats from Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594" file=" promkeaexporter.go:712 " Jun 30 13:07:34 adc1 kea-ctrl-agent[759731]: INFO HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 10.0.0.231 failed with certificate verify failed And this while the agent.env has: STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true So I have to figure out how to make the stork-agent trust that cert. Do I have to modify /var/lib/stork-agent/certs/ca.pem? As far as I understand the files there are generated while registering the stork-agent. thanks for any help, I think I am close to getting this right -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users