Hello all,
I'm trying to add TLS encryption to my bacula setup.
I've been following this guide which got me almost all of the way there:
http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
I modified the following sections in my bacula-dir.conf file:
Director { # define myself
Name = storage.jokefire.com
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/spool/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 1
Password = "secret" # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = "secret" # password for FileDaemon
File Retention = 14 days # 14 days
Job Retention = 14d # 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
And in my bacula-fd.conf
Director {
Name = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
FileDaemon { # this is me
Name = storage.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
In bacula-sd.conf:
Storage { # definition of myself
Name = storage.jokefire.com
SDPort = 9103 # Director's port
WorkingDirectory = "/var/spool/bacula"
Pid Directory = "/var/run"
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
And finally in bconsole.conf:
Director {
Name = storage.jokefire.com
DIRport = 9101
address = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
Then I bounced the services so all seems well at this point:
[root@storage:/etc/bacula] #bounce-bacula
Stopping Bacula Storage services: [ OK ]
Starting Bacula Storage services: [ OK ]
Stopping Bacula File services: [ OK ]
Starting Bacula File services: [ OK ]
Stopping Bacula Director services: [ OK ]
Starting Bacula Director services: [ OK ]
(wrote a script to bounce all services because I'm lazy)
But when I go into bconsole I get the following (until I restore from
backup)
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
/C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self signed
certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
help.
I've saved my work with TLS so I'm eager to get this going. I used the
following guide to generating the certs, and I'm wondering if the problem
could possibly be in the way I generated the certs?
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
Thanks for any and all advice!
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
