If anyone is using X509v3 extensions with copy jobs, I'm keenly interested in the certs you are using. See below.
On Thu, Sep 14, 2023, at 2:39 PM, Dan Langille wrote: > On Thu, Sep 14, 2023, at 2:33 PM, Martin Simmons wrote: >>>>>>> On Tue, 12 Sep 2023 08:41:42 -0400, Dan Langille said: >>> >>> > >>> >> >>> >> I ask because yesterday I started running some copy jobs. The cert used >>> >> by bacula-sd was acceptable for receiving backups. It was not acceptable >>> >> for copy jobs. >>> >> >>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect >>> >> failure: ERR=error:1417C086:SSL >>> >> routines:tls_process_client_certificate:certificate verify failed >>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS >>> >> Negotiation failed. >>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation >>> >> failed with FD at "10.55.0.7:27230" >>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect >>> >> authorization key from File daemon at client rejected. >>> >> For help, please see: >>> >> http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html >>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to >>> >> authenticate File daemon >>> > >>> > I wonder if your SD connects to itself here, and fails to validate >>> > itself? The log above does mention an FD at 10.55.0.7. Does that FD >>> > component have a certificate? maybe there's mis-match with the CN of that >>> > certificate and the FDAddress directive in the bacula-fd.conf file? >>> >>> There is no bacula-fd at 10.55.0.7 - it is not running and not configured. >>> It is bacula-sd only at that IP address. >>> >>> Yes, bacula-sd-04 is at 10.55.0.7 - I don't know why FD is mentioned in >>> the error. >>> >>> From the docs >>> (https://bacula.org/13.0.x-manuals/en/main/Migration_Copy.html): >>> >>> The Copy and the Migration jobs run without using the File daemon by >>> copying the data from the old backup Volume to a different Volume in a >>> different Pool >>> >>> My reading of that: an FD should not be involved here. >> >> My guess is that Copy and Migration jobs work with the reading SD pretending >> to be an FD to send data to the writing SD. >> >> __Martin > > Tests this afternoon have confirmed that. I’m still figuring this out. > I might resume testing in the next few days. It seems the only problem is copy/migrations jobs. In this case, bacula-sd is sending to bacula-sd and I have been unable to configuration a cert with X509v3 which is accepted for this task. The errors I get are below. These certs are good for backups, not good for copy/migration (I have tested only copy, but I'm sure migration will have the same problem). If I change the certificate, and *only* the certificate, to not include X509v3 extensions, this error does not occur. 18-Sep 21:08 bacula-dir JobId 359528: Warning: FileSet MD5 digest not found. 18-Sep 21:08 bacula-dir JobId 359528: The following 1 JobId was chosen to be copied: 359391 18-Sep 21:08 bacula-dir JobId 359528: Copying using JobId=359391 Job=r730-03_basic_testing.2023-09-15_12.57.14_14 18-Sep 21:08 bacula-dir JobId 359528: Start Copying JobId 359528, Job=CopyToSD04-testing-deleteme.2023-09-18_21.08.04_42 18-Sep 21:08 bacula-dir JobId 359528: Using Device "vDrive-FullFile-0" to read. 18-Sep 21:08 bacula-dir JobId 359529: Using Device "vDrive-FullFile-0" to write. 18-Sep 21:08 bacula-sd-01-sd JobId 359528: Error: openssl.c:68 Connect failure: ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 18-Sep 21:08 bacula-sd-01-sd JobId 359528: Fatal error: bnet.c:75 TLS Negotiation failed. 18-Sep 21:08 bacula-sd-01-sd JobId 359528: Fatal error: TLS negotiation failed with FD at "10.55.0.7:61827" 18-Sep 21:08 bacula-sd-01-sd JobId 359528: Fatal error: Incorrect authorization key from File daemon at client rejected. For help, please see: http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html 18-Sep 21:08 bacula-sd-01-sd JobId 359528: Security Alert: Unable to authenticate File daemon 18-Sep 21:08 bacula-dir JobId 359529: Fatal error: Bad response to Storage command: wanted 2000 OK storage , got 2902 Bad storage 18-Sep 21:08 bacula-dir JobId 359529: Fatal error: mac.c:301 Response failure: storeddr=bacula-sd-01.int.unixathome.org:9103 Job=CopyToSD04-testing-deleteme.2023-09-18_21.08.04_42 18-Sep 21:08 bacula-dir JobId 359528: Error: Bacula bacula-dir 9.6.7 (10Dec20): Build OS: amd64-portbld-freebsd13.2 freebsd 13.2-RELEASE Prev Backup JobId: 359391 Prev Backup Job: r730-03_basic_testing.2023-09-15_12.57.14_14 New Backup JobId: 359529 Current JobId: 359528 Current Job: CopyToSD04-testing-deleteme.2023-09-18_21.08.04_42 Backup Level: Full Client: crey-fd FileSet: "EmptyCopyToTape" 2011-02-20 20:53:31 Read Pool: "FullFile" (From Job resource) Read Storage: "bacula-sd-01-FullFile" (From Pool resource) Write Pool: "FullFile-04" (From Job resource) Write Storage: "bacula-sd-04-FullFile" (From Job resource) Catalog: "MyCatalog" (From Client resource) Start time: 18-Sep-2023 21:08:07 End time: 18-Sep-2023 21:08:13 Elapsed time: 6 secs Priority: 10 SD Files Written: 0 SD Bytes Written: 0 (0 B) Rate: 0.0 KB/s Volume name(s): Volume Session Id: 2 Volume Session Time: 1695069831 Last Volume Bytes: 0 (0 B) SD Errors: 0 SD termination status: Waiting on FD Termination: *** Copying Error *** The following are excepts from the certs used on the sending and receiving bacula-sd. bacula-sd-01 - sending Director clause (client cert) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://CRL_URI Storage clause (server cert) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: ssl-admin (OpenSSL) Generated Server Certificate X509v3 Subject Key Identifier: [redacted] X509v3 Authority Key Identifier: keyid:[redacted] DirName:/C=US/ST=[redacted] serial:[redacted] X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment bacula-sd-04 - receiving Director clause (client cert): X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://CRL_URI Storage clause (server cert): X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: ssl-admin (OpenSSL) Generated Server Certificate X509v3 Subject Key Identifier: [redacted] X509v3 Authority Key Identifier: keyid:[redacted] DirName:/C=US/ST=[redacted] serial:[redacted] X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment -- Dan Langille d...@langille.org _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
