On Fri, Jul 31, 2020, at 6:15 PM, Shawn Rappaport wrote: > I'm running Bacula 9.06 (compiled from source with the --with-openssl option) > on CentOS 7.5 and running into issues configuring TLS in our test > environment. I am following the instructions from these two pages: > https://www.labeightyfour.com/2019/06/20/configure-encrypted-connections-in-bacula/ > https://www.labeightyfour.com/2019/12/05/certificate-extensions-in-openssl/ > > My test environment consists of a server running the Director and SD > (xbacdirector01-lv) as well as a CentOS 7.5 Linux client and Windows Server > 2019 client.
At work, we just finished getting a client to work. It was a multi-week process. I'll see if I can get details on Monday. There was something extremely obscure which we had to do. TLS can be very complex to get going. I encourage you to first ensure everything works properly without TLS and then start adding in TLS. To do both at once is dealing with too many variables. I may be making errors in my observations and I hope they get pointed out. > First, I generated the keys and certificates on xbacdirector01-lv, put them > in /etc/ssl, chown'd them as bacula.bacula and changed the permissions on the > keys to 600. Here is how I generated things: > > *Configure the Certificate Authority using OpenSSL* > openssl genrsa -out bacula_ca.key 2048 > openssl req -new -x509 -key bacula_ca.key -out bacula_ca.crt -days 365 > -extensions usr_cert > > *Configure Keys and Certificates for the Bacula Server using OpenSSL* > openssl req -new -newkey rsa:2048 -nodes -keyout bacula_server.key -out > bacula_server.csr -days 365 > openssl x509 -req -in bacula_server.csr -CA /etc/ssl/bacula_ca.crt -CAkey > /etc/ssl/bacula_ca.key -CAcreateserial -out bacula_server.crt -extensions > usr_cert -days 365 The following is mentioned in passing, not because I have noticed something wrong with your cert creation process, but I recommend verifying that you have client certs for clients (bacula-fd) and server certs for servers (bacula-dir, bacula-sd). There are two types of ssl certs: client, and server. You need server certs for Bacula. https://dan.langille.org/2019/11/29/ssl-client-vs-server-certificates-and-bacula-fd/ I use and recommend ssl-admin > Then I modified *bconsole.conf* to include the TLS directives. It now looks > like this: > > Director { > Name = xbacdirector01-lv.internal.shutterfly.com-dir > DIRport = 9101 > address = xbacdirector01-lv.internal.shutterfly.com > Password = "password" > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/ssl/bacula_ca.crt > TLS Certificate = /etc/ssl/bacula_server.crt > TLS Key = /etc/ssl/bacula_server.key > } Note the Address used above. The certificate used by bacula-dir must be in the name: xbacdirector01-lv.internal.shutterfly.com This applies to all certificates. That's about all I can help with today. > > Next, I updated *bacula-dir.conf* to include the TLS directives: > > Director { # define myself > Name = xbacdirector01-lv.internal.shutterfly.com-dir > DIRport = 9101 # where we listen for UA connections > QueryFile = "/etc/bacula/query.sql" > WorkingDirectory = "/var/bacula" > PidDirectory = "/var/run" > Maximum Concurrent Jobs = 20 > Password = "password" # Console password > Messages = Daemon > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/ssl/bacula_ca.crt > TLS Certificate = /etc/ssl/bacula_server.crt > TLS Key = /etc/ssl/bacula_server.key > # TLS Verify Peer = no > TLS Allowed CN = “xbacdirector01-lv.internal.shutterfly.com” > } > > Storage { # definition of myself > Name = xbacdirector01-lv.internal.shutterfly.com-sd > SDPort = 9103 # Director's port > Address = xbacdirector01-lv.internal.shutterfly.com > Password = "password" > Device = FileChgr1-Dev1 #Make sure this matches the bacula-sd.conf file > MediaType = File1 > Maximum Concurrent Jobs = 20 > Autochanger = yes > Allow Compression = yes > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/ssl/bacula_ca.crt > TLS Certificate = /etc/ssl/bacula_server.crt > TLS Key = /etc/ssl/bacula_server.key > } > > Autochanger { > Name = File1 > # Do not use "localhost" here > Address = xbacdirector01-lv.internal.shutterfly.com # N.B. > Use a fully qualified name here > SDPort = 9103 > Password = "password" > Device = FileChgr1 > Media Type = File1 > Maximum Concurrent Jobs = 10 # run up to 10 jobs a the same time > Autochanger = File1 # point to ourself > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/ssl/bacula_ca.crt > TLS Certificate = /etc/ssl/bacula_server.crt > TLS Key = /etc/ssl/bacula_server.key > } > > I also added the TLS directives to *bacula-sd.conf*: > > Storage { # definition of myself > Name = xbacdirector01-lv.internal.shutterfly.com-sd > SDPort = 9103 # Director's port > WorkingDirectory = "/var/bacula" > Pid Directory = "/var/run" > Plugin Directory = "/usr/lib64" > Maximum Concurrent Jobs = 20 > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/ssl/bacula_ca.crt > TLS Certificate = /etc/ssl/bacula_server.crt > TLS Key = /etc/ssl/bacula_server.key > } > > Director { > Name = xbacdirector01-lv.internal.shutterfly.com-dir > Password = "password" > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/ssl/bacula_ca.crt > TLS Certificate = /etc/ssl/bacula_server.crt > TLS Key = /etc/ssl/bacula_server.key > } > > After those changes, I bounced Bacula and tried running bconsole. Here is the > error I'm receiving: > > Connecting to Director xbacdirector01-lv.internal.shutterfly.com:9101 > bconsole: tls.c:87-0 Error with certificate at depth: 0, issuer = > /C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com, > subject = > /C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com, > ERR=18:self signed certificate > 31-Jul 14:41 bconsole JobId 0: Error: tls.c:87 Error with certificate at > depth: 0, issuer = > /C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com, > subject = > /C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com, > ERR=18:self signed certificate > TLS negotiation failed > Director authorization problem. > Most likely the passwords do not agree. > If you are using TLS, there may have been a certificate validation error > during the TLS handshake. > For help, please see > http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html > > > I'm guessing I didn't configure the certs properly but I don't know why. I > also tried creating things with the CN not being fully-qualified, i.e.: > CN=xbacdirector01-lv. That didn't make a difference. I'm pretty green when it > comes to configuring certs so I apologize if I'm making rookie mistakes. > > Does anyone know what I'm doing wrong? Please let me know if you need more > details of my setup and configuration. > > Thanks! > > --Shawn > > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users > -- Dan Langille d...@langille.org
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
