Re: [Bacula-users] bacula TLS help

Wed, 27 Nov 2013 04:53:46 -0800 

Hi Tim,
 I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com


please could you show the value for   DirAddress = bacula.example.org

in my case:

  DirAddress = bacula.example.org
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = no
  TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
  TLS Certificate = /etc/bacula/certs/cert/bacula.crt
  TLS Key = /etc/bacula/certs/key/bacula.key

Looking at the cert:

openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text

Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
bacula.example.org

The CN must be the sme that DirAddress (I did not use email address for
cert sign)

Regards, I


2013/11/27 Tim Dunphy <bluethu...@gmail.com>

> Hello all,
>
>
>  I'm trying to add TLS encryption to my bacula setup.
>
>
>
>  I've been following this guide which got me almost all of the way there:
>
>
> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
>
>
> I modified the following sections in my bacula-dir.conf file:
>
>
> Director {                            # define myself
>
>   Name = storage.jokefire.com
>
>   DIRport = 9101                # where we listen for UA connections
>
>   QueryFile = "/etc/bacula/query.sql"
>
>   WorkingDirectory = "/var/spool/bacula"
>
>   PidDirectory = "/var/run"
>
>   Maximum Concurrent Jobs = 1
>
>   Password = "secret"         # Console password
>
>   Messages = Daemon
>
>   TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
>   TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
>   TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
>   TLS Enable = yes
>
>   TLS Require = yes
>
>   TLS Verify Peer = yes
>
> }
>
>
> Client {
>
>   Name = ops.jokefire.com
>
>   Address = ops.jokefire.com
>
>   FDPort = 9102
>
>   Catalog = JokefireCatalog
>
>   Password = "secret"          # password for FileDaemon
>
>   File Retention = 14 days            # 14 days
>
>   Job Retention = 14d            # 14 days
>
>   AutoPrune = yes                     # Prune expired Jobs/Files
>
>   TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
>   TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
>   TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
>   TLS Enable = yes
>
>   TLS Require = yes
>
> }
>
>
>
> And in my bacula-fd.conf
>
>
> Director {
>
>   Name = storage.jokefire.com
>
>   Password = "secret"
>
>   TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
>   TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
>   TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
>   TLS Enable = yes
>
>   TLS Require = yes
>
> }
>
>
> FileDaemon {                          # this is me
>
>   Name = storage.jokefire.com
>
>   FDport = 9102                  # where we listen for the director
>
>   WorkingDirectory = /var/bacula
>
>   Pid Directory = /var/run
>
>   Maximum Concurrent Jobs = 20
>
>   TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
>   TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
>   TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
>   TLS Enable = yes
>
>   TLS Require = yes
>
> }
>
>
> In bacula-sd.conf:
>
>
> Storage {                             # definition of myself
>
>   Name = storage.jokefire.com
>
>   SDPort = 9103                  # Director's port
>
>   WorkingDirectory = "/var/spool/bacula"
>
>   Pid Directory = "/var/run"
>
>   Maximum Concurrent Jobs = 20
>
>   TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
>   TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
>   TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
>   TLS Enable = yes
>
>   TLS Require = yes
>
>   TLS Verify Peer = yes
>
> }
>
>
> And finally in bconsole.conf:
>
>
> Director {
>
>   Name = storage.jokefire.com
>
>   DIRport = 9101
>
>   address = storage.jokefire.com
>
>   Password = "secret"
>
>   TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
>   TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
>   TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
>   TLS Enable = yes
>
>   TLS Require = yes
>
> }
>
>
> Then I bounced the services so all seems well at this point:
>
>
> [root@storage:/etc/bacula] #bounce-bacula
>
> Stopping Bacula Storage services:                          [  OK  ]
>
> Starting Bacula Storage services:                          [  OK  ]
>
> Stopping Bacula File services:                             [  OK  ]
>
> Starting Bacula File services:                             [  OK  ]
>
> Stopping Bacula Director services:                         [  OK  ]
>
> Starting Bacula Director services:                         [  OK  ]
>
>
> (wrote a script to bounce all services because I'm lazy)
>
>
> But when I go into bconsole I get the following (until I restore from
> backup)
>
>
> [root@storage:/etc/bacula] #bconsole
>
> Connecting to Director storage.jokefire.com:9101
>
> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
> depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
> storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
> /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
> storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self
> signed certificate
>
> TLS negotiation failed
>
> Director authorization problem.
>
> Most likely the passwords do not agree.
>
> If you are using TLS, there may have been a certificate validation error
> during the TLS handshake.
>
> Please see
> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
>  help.
>
>
> I've saved my work with TLS so I'm eager to get this going. I used the
> following guide to generating the certs, and I'm wondering if the problem
> could possibly be in the way I generated the certs?
>
>
>
> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
>
>
> Thanks for any and all advice!
>
>
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>


-- 
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
*"El problema con el mundo es que los estúpidos están seguros de todo y los
inteligentes están llenos de dudas*"

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to