Join Log in
Score:0
GJE avatar Server

DHCP Kea High Availability over TLS doesn't work

km flag
GJE

I have installed 2 Kea 2.0.1 Servers in Debian 10 Buster virtual machine in Virtual Box 6.1.26 r145957 (Qt5.6.2) and also in VMware Workstation Player 16.1.2 build-17966106.The high availability without TLS works fine and I have been referred to kea admin reference manual for kea-dhcp4 and kea-ca(controlagent) configurations(https://kea.readthedocs.io/en/kea-2.0.1/arm/intro.html).

HA Logs without TLS

When I try to configure it with TLS it gives the following TLS handshake error.

2022-02-07 10:38:22.970 DEBUG [kea-ctrl-agent.http/4703.140102598186880] HTTP_CONNECTION_HANDSHAKE_START start TLS handshake with 192.168.0.20 with timeout 10 2022-02-07 10:38:23.972 INFO [kea-ctrl-agent.http/4703.140102598186880] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 192.168.0.20 failed with http request 2022-02-07 10:38:23.972 DEBUG [kea-ctrl-agent.http/4703.140102598186880] HTTP_CONNECTION_STOP stopping HTTP connection from 192.168.0.20

In order to configure tls connection, I have created a certification authority with self signed certificate and a bind9 DNS Server. Regarding the creation of TLS certificates with subject alternative names set to dns name and ip address, I have been referred to /kea-2.0.1/src/lib/asiolink/testutils/ca/doc.txt.

  (Create CA self signed certificate)
$sudo openssl genrsa -aes128 -out kea-ca.key 4096
$sudo openssl req -new -x509 -days 3650 -key kea-ca.key -out kea-ca.crt -extensions v3_ca -config server-conf.cnf


  (Kea server certificate)
$sudo openssl genrsa -aes128 -out kea-server-aes.key 2048
$sudo openssl pkcs8 -in kea-server-aes.key -out kea-server.key -nocrypt
$sudo rm kea-server-aes.key (server private key must be unencrypted)
$sudo openssl req -new -key kea-server.key -out kea-server-addr.csr -config server-addr-conf.cnf
$sudo  openssl x509 -req -days 3650 -in kea-server-addr.csr -CA kea-ca.crt -CAkey kea-ca.key -set_serial 30 -out kea-server-addr.crt -extfile ext-addr-conf.cnf -sha256

 (Use c_rehash or openssl rehash to create hashes)

$sudo openssl rehash .

To troubleshoot I have tried the following:

  1. Capturing data packets with wireshark (enter image description here)- After sending a heartbeat message to synchronize with the other peer, something goes wrong and the tcp connection ends immediately. wireshark capture
  2. Sending a curl POST to kea control agent works successfully. http response
  3. Testing kea certificates with openssl verify tool as described in openssl verify- everything seems to be ok. openssl verify
  4. Troubleshooting with tls connection with openssl s_client -showcerts.

Because the error output isn't helping much, I wanted to ask if anyone has any experience regarding this issue or comparable problems.

42
0 + 0
ssl
GJE avatar
km flag
GJE
I finally found the solution. In kea dhcp4 ha configs trust-anchor, cert-file, key-file must be defined in global or peer leven and url must be in https.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.