Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/8/20 7:54 PM, Josip Deanovic wrote: > In case one is using database cluster in round-robin setup, one > of the master nodes could start lagging which could have unpredictable > effects on most applications (unless synchronous communication is > in use). Exactly, which is why this is safe ONLY with a synchronous cluster. There is no way to ever make native asynchronous replication fully multiple-write safe. There will ALWAYS be the possibility of silent race conditions which will result in inconsistent data. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-08 15:54, Phil Stracchino wrote: On 10/8/20 9:11 AM, Josip Deanovic wrote: Do you have to turn off attribute spooling with 9.6.3 and 9.6.6? Disabling attribute spooling will inflict noticeable performance degradation. Unfortunately, yes, because the attribute spooling code — at least for the MySQL driver — is broken. It caches all of the attribute data in a temporary table until the job is done, then dumps it all into the DB at once, ignoring the configured write batch size. If the job copies more than 128K files, this exceeds Galera 3's hard writeset limit. I see. Thank you for explaining it. I used to use MySQL for a long time and had no problems because I didn't use Galera MySQL cluster with Bacula. If it honored the batch size setting, it would be perfectly fine. That said, I probably would not have done the spooling that way in the first place. I would have cached the attribute data in memory until I had $BATCHSIZE records, then written them directly to the DB in a batch. I honestly think this would perform better than saving them all until the end of the job and then ogging the DB with potentially millions of records at once. That is ALWAYS a bad idea. I'd write and offer a patch — in fact I'd overhaul the entire MySQL driver — but I don't know nearly enough C++. I don't know how these things are implemented in Bacula. It's possible that Bacula team did it because they thought that it would help setting up HA for the Bacula director daemon. In case one is using database cluster in round-robin setup, one of the master nodes could start lagging which could have unpredictable effects on most applications (unless synchronous communication is in use). With some applications, depending on how they utilize database, it could lead to some kind of interlocks which would need to be solved by the cluster software or otherwise it could lead to long or indefinite timeouts. Round-robin with database nodes (master-master) is usually fine for applications that produce small queries and don't have to create awfully complex relations. Otherwise, database cluster software would need to take care about locking which brings in the question of synchronous communication and the overall performance gain from such setup. I am aware that some decisions in Bacula regarding dealing with database connections are not the best. For example, if you use a Copy which is configured to select like 300 jobs to copy, Bacula would open 600 connections to the database. Those connections would stay opened until jobs are finished. For each Copy job that completes, two connections would get released. And if your database has connection limit set below the number of connections Bacula temporary needs, Bacula-dir would segfault. I have experienced it with Postgres and I have found old posts in the mailing list archives claiming that the same problem exists with MySQL as well. There are few ways to workaround the problem with too many connections but Bacula director shouldn't segfault. -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/8/20 9:11 AM, Josip Deanovic wrote: > On 2020-10-08 14:56, Phil Stracchino wrote: >> High availability, fundamentally. I'd honestly prefer to be using >> Percona XtraDB Cluster, but there is no working, maintained ebuild for >> Gentoo Linux — and enterprise customers ARE going to try to use it >> against HA clusters, so we'd better be sure it works. Which it does, >> as >> long as attribute spooling is disabled (and you're not using Director >> 9.6.5). > > Do you have to turn off attribute spooling with 9.6.3 and 9.6.6? > Disabling attribute spooling will inflict noticeable performance > degradation. Unfortunately, yes, because the attribute spooling code — at least for the MySQL driver — is broken. It caches all of the attribute data in a temporary table until the job is done, then dumps it all into the DB at once, ignoring the configured write batch size. If the job copies more than 128K files, this exceeds Galera 3's hard writeset limit. If it honored the batch size setting, it would be perfectly fine. That said, I probably would not have done the spooling that way in the first place. I would have cached the attribute data in memory until I had $BATCHSIZE records, then written them directly to the DB in a batch. I honestly think this would perform better than saving them all until the end of the job and then ogging the DB with potentially millions of records at once. That is ALWAYS a bad idea. I'd write and offer a patch — in fact I'd overhaul the entire MySQL driver — but I don't know nearly enough C++. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-08 14:56, Phil Stracchino wrote: Well, I understand that perspective, but this problem appeared instantly as soon as I upgraded to 9.6.5, with a DB configuration I've been using for years without a hiccup. I could turn the problem on and off like a lightswitch by updating *ONLY* the Director to 9.6.5 or rolling it back to 9.6.3, even if connecting directly to the local DB node without using HAproxy. 9.6.5 Director, even without HAproxy: About one in three jobs hang. 9.6.3 Director, even WITH Haproxy: No hangs. So far, 9.6.6. is behaving like 9.6.3. Interesting. In that case you are probably right. Are you using MariaDB cluster because you need high availability or because you want to achieve higher database throughput? High availability, fundamentally. I'd honestly prefer to be using Percona XtraDB Cluster, but there is no working, maintained ebuild for Gentoo Linux — and enterprise customers ARE going to try to use it against HA clusters, so we'd better be sure it works. Which it does, as long as attribute spooling is disabled (and you're not using Director 9.6.5). Do you have to turn off attribute spooling with 9.6.3 and 9.6.6? Disabling attribute spooling will inflict noticeable performance degradation. -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/8/20 8:45 AM, djosip+n...@linuxpages.net wrote: > On 2020-10-08 14:24, Phil Stracchino wrote: >> >> Well, so far, it's only been a few days, so my conclusions are >> cautious. >> But they are cautiously optimistic. So far, with the Director still >> using HAproxy to round-robin DB connectins to my MariaDB cluster, I >> have >> not seen a single hung job, But only about a dozen jobs have run so >> far. >> >> On 9.6.5 I would have expected to see one or more hung jobs by now, but >> I won't feel safe in declaring the problem gone until it's gone at >> least >> a couple of weeks without a hung job. > > Ah, I didn't get it that you are using MariaDB cluster. > > It is quite possible that your problems are not directly related > to Bacula but to the database cluster setup which means that > new Bacula version will not solve your problem. Well, I understand that perspective, but this problem appeared instantly as soon as I upgraded to 9.6.5, with a DB configuration I've been using for years without a hiccup. I could turn the problem on and off like a lightswitch by updating *ONLY* the Director to 9.6.5 or rolling it back to 9.6.3, even if connecting directly to the local DB node without using HAproxy. 9.6.5 Director, even without HAproxy: About one in three jobs hang. 9.6.3 Director, even WITH Haproxy: No hangs. So far, 9.6.6. is behaving like 9.6.3. > Are you using MariaDB cluster because you need high availability > or because you want to achieve higher database throughput? High availability, fundamentally. I'd honestly prefer to be using Percona XtraDB Cluster, but there is no working, maintained ebuild for Gentoo Linux — and enterprise customers ARE going to try to use it against HA clusters, so we'd better be sure it works. Which it does, as long as attribute spooling is disabled (and you're not using Director 9.6.5). -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-08 14:24, Phil Stracchino wrote: Well, so far, it's only been a few days, so my conclusions are cautious. But they are cautiously optimistic. So far, with the Director still using HAproxy to round-robin DB connectins to my MariaDB cluster, I have not seen a single hung job, But only about a dozen jobs have run so far. On 9.6.5 I would have expected to see one or more hung jobs by now, but I won't feel safe in declaring the problem gone until it's gone at least a couple of weeks without a hung job. Ah, I didn't get it that you are using MariaDB cluster. It is quite possible that your problems are not directly related to Bacula but to the database cluster setup which means that new Bacula version will not solve your problem. Are you using MariaDB cluster because you need high availability or because you want to achieve higher database throughput? If it's only high availability you are after, it might a good idea to stop using round-robin. Regards! ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/6/20 4:56 AM, djosip+n...@linuxpages.net wrote: > On 2020-10-06 02:07, Phil Stracchino wrote: >> On 9/28/20 12:33 PM, Phil Stracchino wrote: >>> test phase 1: All clients and Storage on 9.6.6, Director still on >>> 9.6.3 >>> No hung jobs so far. I plan to leave it this way for at least a week >>> before upgrading the Director to 9.6.6. as well. >> >> OK, a week of no issues and monthly full backups just ran. I am now >> updating the Director from 9.6.3 to 9.6.6. No other changes. >> >> Fingers crossed. > > > I am eager to hear about your conclusions. Good luck. Well, so far, it's only been a few days, so my conclusions are cautious. But they are cautiously optimistic. So far, with the Director still using HAproxy to round-robin DB connectins to my MariaDB cluster, I have not seen a single hung job, But only about a dozen jobs have run so far. On 9.6.5 I would have expected to see one or more hung jobs by now, but I won't feel safe in declaring the problem gone until it's gone at least a couple of weeks without a hung job. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-06 02:07, Phil Stracchino wrote: On 9/28/20 12:33 PM, Phil Stracchino wrote: test phase 1: All clients and Storage on 9.6.6, Director still on 9.6.3 No hung jobs so far. I plan to leave it this way for at least a week before upgrading the Director to 9.6.6. as well. OK, a week of no issues and monthly full backups just ran. I am now updating the Director from 9.6.3 to 9.6.6. No other changes. Fingers crossed. I am eager to hear about your conclusions. Good luck. Regards! -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 9/28/20 12:33 PM, Phil Stracchino wrote: On 2020-09-27 15:27, Phil Stracchino wrote: I'm going to re-test the job-hanging problem that I encountered with 9.6.5 Director and see whether that is resolved in 9.6.6 as well. It mysteriously appeared between 9.6.3 and 9.6.5, with luck it has vanished as mysteriously. test phase 1: All clients and Storage on 9.6.6, Director still on 9.6.3 No hung jobs so far. I plan to leave it this way for at least a week before upgrading the Director to 9.6.6. as well. OK, a week of no issues and monthly full backups just ran. I am now updating the Director from 9.6.3 to 9.6.6. No other changes. Fingers crossed. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-09-27 15:27, Phil Stracchino wrote: > I'm going to re-test the job-hanging problem that I encountered with > 9.6.5 Director and see whether that is resolved in 9.6.6 as well. It > mysteriously appeared between 9.6.3 and 9.6.5, with luck it has vanished > as mysteriously. test phase 1: All clients and Storage on 9.6.6, Director still on 9.6.3 No hung jobs so far. I plan to leave it this way for at least a week before upgrading the Director to 9.6.6. as well. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-09-27 02:57, Josip Deanovic wrote: > So I am writing here to inform people who might experienced the > TLS error with bacula-fd 9.6.5 on Centos 7 and Centos 6 that Bacula > 9.6.6 has solved that problem. I'm going to re-test the job-hanging problem that I encountered with 9.6.5 Director and see whether that is resolved in 9.6.6 as well. It mysteriously appeared between 9.6.3 and 9.6.5, with luck it has vanished as mysteriously. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
Very good! Thanks for info! :) Best regards, -- Mario. søn. 27. sep. 2020 kl. 09:06 skrev Josip Deanovic < djosip+n...@linuxpages.net>: > Hello, > > I have stumbled upon bug in Bacula 9.6.5 on Centos 7 and Centos 6 > where bacula-fd would fail starting with error mentioning TLS > not being able to find ciphers. > > Configuration of the file daemons is correct and it works without > modifications with stock Centos 7 (5.2) and Centos 6 (5.0) Bacula > file daemons. Centos 8 is working fine with 9.6.5 without issues. > > I have failed to find the cause and few days ago Bacula 9.6.6 was > released so I tried that version and the TLS problem was gone. > > So I am writing here to inform people who might experienced the > TLS error with bacula-fd 9.6.5 on Centos 7 and Centos 6 that Bacula > 9.6.6 has solved that problem. > > > Regards! > > -- > Josip Deanovic > > > ___ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users > ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
Hello, I have stumbled upon bug in Bacula 9.6.5 on Centos 7 and Centos 6 where bacula-fd would fail starting with error mentioning TLS not being able to find ciphers. Configuration of the file daemons is correct and it works without modifications with stock Centos 7 (5.2) and Centos 6 (5.0) Bacula file daemons. Centos 8 is working fine with 9.6.5 without issues. I have failed to find the cause and few days ago Bacula 9.6.6 was released so I tried that version and the TLS problem was gone. So I am writing here to inform people who might experienced the TLS error with bacula-fd 9.6.5 on Centos 7 and Centos 6 that Bacula 9.6.6 has solved that problem. Regards! -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls. Can't get that working
Verify the keyUsage of your certs..
Try to create a cert with all usages: keyUsage = digitalSignature,
nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement,
keyCertSign, cRLSign, encipherOnly, decipherOnly
2011/11/8 Oliver Hoffmann o...@dom.de
Hi all,
it is such a hassle to get that running. Could someone guide me
please?
1. What I did
I made my own CA using this guide:
https://help.ubuntu.com/community/OpenSSL
Now I have a CA and self-signed keys. So there are server_crt.pem,
server_key.pem and cacert.pem. The common name is always
ba-server.some.domain. I altered the file index.txt.attr. Now it
reads unique_subject = no.
Of course I read this one:
http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
and then that one:
http://www.devco.net/pubwiki/Bacula/TLS/
which was quite helpful. I tried to have an encrypted communication
between the director and bconsole as a first attempt but it doesn't
work.
bconsole.conf looks like:
Director {
Name = ba-server-dir
DIRport = 9101
address = ba-server.some.domain
Password = mypw
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
bacula-dir.conf (just the upper part):
Director {# define myself
Name = ba-server-dir
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/scripts/query.sql
WorkingDirectory = /var/lib/bacula
PidDirectory = /var/run/bacula
Password = mypw
Messages = Daemon
DirAddress = ba-server.some.domain
Heartbeat Interval = 60
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
# TLS Verify Peer = yes
# TLS Allowed CN = ba-server.some.domain
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
I used TLS Verify Peer and TLS Allowed CN as well before.
2. What I got:
Connecting to Director ba-server.some.domain:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation
error during the TLS handshake. Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376
for help.
In the log file I see:
08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
certificate at depth: 0, issuer
= /CN=ba-server.some.domain and so on
ERR=26:unsupported certificate purpose
Thus I searched for unsupported certificate purpose and found out
that nsCertType was set to server. Means both certs have a purpose
called server. I made a new crt/key with client. No success.
I couldn't find either how to set nsCertType to nothing or if
bacula is able to ignore such a setting.
Thanks for help!
Greetings,
Oliver
--
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Thank you. After a while I figured out how to do this. Furthermore I
had nsCertType = server in my caconfig.cnf and commented it. Now I
see:
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
With such a cert the communication bconsole -- director finally
works.
Next I tried to get the local fd talking TLS (with the same cacert, crt
and key), but:
09-Nov 18:01 ba-server-fd: Fatal Error at filed.c:556 because:
Konnte TLS context für Director nicht initialisieren ba-server-dir
in /etc/bacula/bacula-fd.conf.
The German sentence means Couldn't initialize TLS context for director
ba-server-dir.
Eventually I got it. The problem was FQDN in the cert but not at
FDAddress =.
Hence the major issues with TLS and bacula are FQDN confusion and
purposes of certs. That's what I experienced and that's what I found
all the time while searching the web.
Cheers,
Oliver
--
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] bacula and tls. Can't get that working
Hi all,
it is such a hassle to get that running. Could someone guide me please?
1. What I did
I made my own CA using this guide:
https://help.ubuntu.com/community/OpenSSL
Now I have a CA and self-signed keys. So there are server_crt.pem,
server_key.pem and cacert.pem. The common name is always
ba-server.some.domain. I altered the file index.txt.attr. Now it reads
unique_subject = no.
Of course I read this one:
http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
and then that one:
http://www.devco.net/pubwiki/Bacula/TLS/
which was quite helpful. I tried to have an encrypted communication
between the director and bconsole as a first attempt but it doesn't
work.
bconsole.conf looks like:
Director {
Name = ba-server-dir
DIRport = 9101
address = ba-server.some.domain
Password = mypw
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
bacula-dir.conf (just the upper part):
Director {# define myself
Name = ba-server-dir
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/scripts/query.sql
WorkingDirectory = /var/lib/bacula
PidDirectory = /var/run/bacula
Password = mypw
Messages = Daemon
DirAddress = ba-server.some.domain
Heartbeat Interval = 60
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
# TLS Verify Peer = yes
# TLS Allowed CN = ba-server.some.domain
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
I used TLS Verify Peer and TLS Allowed CN as well before.
2. What I got:
Connecting to Director ba-server.some.domain:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation
error during the TLS handshake. Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376
for help.
In the log file I see:
08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
certificate at depth: 0, issuer
= /CN=ba-server.some.domain and so on
ERR=26:unsupported certificate purpose
Thus I searched for unsupported certificate purpose and found out
that nsCertType was set to server. Means both certs have a purpose
called server. I made a new crt/key with client. No success.
I couldn't find either how to set nsCertType to nothing or if bacula is
able to ignore such a setting.
Thanks for help!
Greetings,
Oliver
--
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls. Can't get that working
Verify the keyUsage of your certs..
Try to create a cert with all usages: keyUsage = digitalSignature,
nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement,
keyCertSign, cRLSign, encipherOnly, decipherOnly
2011/11/8 Oliver Hoffmann o...@dom.de
Hi all,
it is such a hassle to get that running. Could someone guide me please?
1. What I did
I made my own CA using this guide:
https://help.ubuntu.com/community/OpenSSL
Now I have a CA and self-signed keys. So there are server_crt.pem,
server_key.pem and cacert.pem. The common name is always
ba-server.some.domain. I altered the file index.txt.attr. Now it reads
unique_subject = no.
Of course I read this one:
http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
and then that one:
http://www.devco.net/pubwiki/Bacula/TLS/
which was quite helpful. I tried to have an encrypted communication
between the director and bconsole as a first attempt but it doesn't
work.
bconsole.conf looks like:
Director {
Name = ba-server-dir
DIRport = 9101
address = ba-server.some.domain
Password = mypw
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
bacula-dir.conf (just the upper part):
Director {# define myself
Name = ba-server-dir
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/scripts/query.sql
WorkingDirectory = /var/lib/bacula
PidDirectory = /var/run/bacula
Password = mypw
Messages = Daemon
DirAddress = ba-server.some.domain
Heartbeat Interval = 60
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
# TLS Verify Peer = yes
# TLS Allowed CN = ba-server.some.domain
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
I used TLS Verify Peer and TLS Allowed CN as well before.
2. What I got:
Connecting to Director ba-server.some.domain:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation
error during the TLS handshake. Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376
for help.
In the log file I see:
08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
certificate at depth: 0, issuer
= /CN=ba-server.some.domain and so on
ERR=26:unsupported certificate purpose
Thus I searched for unsupported certificate purpose and found out
that nsCertType was set to server. Means both certs have a purpose
called server. I made a new crt/key with client. No success.
I couldn't find either how to set nsCertType to nothing or if bacula is
able to ignore such a setting.
Thanks for help!
Greetings,
Oliver
--
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
--
William Felipe Welter
--
Consultor em Tecnologias Livres
william.wel...@4linux.com.br
www.4linux.com.br
--
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula and TLS
I'm trying to get TLS working with bacula, I'm following the instructions on this web site: http://www.devco.net/pubwiki/Bacula/TLS/ I came to this statement Repeat this certificate creation steps - create a key, csr and cert - for each of your clients and directors My question is, is it possible to setup TLS and Bacula with the same certs and keys? Do I really have to create and sign a cert for *every* client I want to back up? I have hundreds of machines, I hope there is an easier way of doing this. Thank you! mike -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS
Am 30.06.2011 20:28, schrieb Mike Hobbs: I'm trying to get TLS working with bacula, I'm following the instructions on this web site: http://www.devco.net/pubwiki/Bacula/TLS/ I came to this statement Repeat this certificate creation steps - create a key, csr and cert - for each of your clients and directors My question is, is it possible to setup TLS and Bacula with the same certs and keys? Do I really have to create and sign a cert for *every* client I want to back up? I have hundreds of machines, I hope there is an easier way of doing this. Hi Mike, Clients sharing the same key can quite easily obtain access to files backed up from a different client. If this is acceptable, you could also use the same key. If not, you might be able to automate key creation and distribution in some way (scripting, puppet, ... whatever you like). Regards Ansgar -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula and TLS
After reading http://www.bacula.org/dev-manual/Bacula_TLS_Communication.html, I can't figure out how to set up bacula to use TLS and what's the meaning of the options. Is there any howto about setting up TLS in bacula? Currently I'm doing backups through the internet so I'd like to set a secure connection as soon as possible. In the docs I've seen: TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem How can I generate? /usr/local/etc/ssl/backup1/cert.pem /usr/local/etc/ssl/backup1/key.pem /usr/local/etc/ssl/ca.pem -- Adrián Ribao Martínez signature.asc Description: This is a digitally signed message part. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS
Adrián Ribao Martínez wrote: After reading http://www.bacula.org/dev-manual/Bacula_TLS_Communication.html, NOTE, you are reading the development manual, for a yet to be released version of Bacula. I suspect you should be reading the released manual: http://www.bacula.org/rel-manual/Bacula_TLS_Communication.html However, I also suspect the two chapters are identical in this case. I can't figure out how to set up bacula to use TLS and what's the meaning of the options. Is there any howto about setting up TLS in bacula? I wrote one: http://www.freebsddiary.org/bacula-tls.php Currently I'm doing backups through the internet so I'd like to set a secure connection as soon as possible. In the docs I've seen: TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem How can I generate? /usr/local/etc/ssl/backup1/cert.pem /usr/local/etc/ssl/backup1/key.pem /usr/local/etc/ssl/ca.pem Certificate generation deserves a topic all on its own. There are many howtos for that. I used cacert.org for generating my certificate. -- Dan Langille BSDCan - The Technical BSD Conference : http://www.bsdcan.org/ PGCon - The PostgreSQL Conference: http://www.pgcon.org/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula and TLS, without client certificates...
Ok, now my bacula setup are rather decent, next step enable TLS.
I've looked at FAQ, HOWTOs, manual... but i've not found an answer to
this question.
Can i enable TLS without 'client' (fd) certificate, but only 'server'
(dir) certificates, as usually done by SSL/TLS apps/protocols (https,
ldaps, ...)?
I think that the 'hash/password' is for me a sufficient
security/identification measue, and i don't want to generate
and deploy certificates for all the client.
Speaking pratically: a setup like:
bacula-dir.conf:
Director {
TLS Enable = yes
TLS Required = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem
TLS Certificate = /etc/ssl/certs/LNFFVGTrinity.pem
TLS Key = /etc/ssl/private/LNFFVGTrinity.pem
[...other non-TLS conf...]
bacula-fd.conf
Director {
TLS Enable = yes
TLS Required = yes
TLS Verify Peer = yes
TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem
[...other non-TLS conf...]
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS, without client certificates...
Marco Gaiarin wrote: Ok, now my bacula setup are rather decent, next step enable TLS. I've looked at FAQ, HOWTOs, manual... but i've not found an answer to this question. Can i enable TLS without 'client' (fd) certificate, but only 'server' (dir) certificates, as usually done by SSL/TLS apps/protocols (https, ldaps, ...)? No, since from an SSL perspective, all of the bacula daemons end up acting as both client and server. The director connects to the fd, the fd connects to the sd, etc. -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS, without client certificates...
Marco Gaiarin wrote:
Ok, now my bacula setup are rather decent, next step enable TLS.
I've looked at FAQ, HOWTOs, manual... but i've not found an answer to
this question.
Can i enable TLS without 'client' (fd) certificate, but only 'server'
(dir) certificates, as usually done by SSL/TLS apps/protocols (https,
ldaps, ...)?
I think that the 'hash/password' is for me a sufficient
security/identification measue, and i don't want to generate
and deploy certificates for all the client.
Speaking pratically: a setup like:
bacula-dir.conf:
Director {
TLS Enable = yes
TLS Required = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem
TLS Certificate = /etc/ssl/certs/LNFFVGTrinity.pem
TLS Key = /etc/ssl/private/LNFFVGTrinity.pem
[...other non-TLS conf...]
bacula-fd.conf
Director {
TLS Enable = yes
TLS Required = yes
TLS Verify Peer = yes
TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem
[...other non-TLS conf...]
I am pretty use you need a TLS Certificate on each client.
--
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/
-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls
On Oct 4, 2007, at 5:01 PM, Dave wrote: Hello, Is anyone using tls with the latest bacula? I've installed the latest server on both FreeBSD via ports, and a CentOS 5 box, and i'm getting the same tls error, unable to load certification information on both. I just upgraded our primary backup server from 2.0.3 to 2.2.5, and it's working just fine. I'd suggest triple checking the permissions on the certificates it's trying to load. -landonf PGP.sig Description: This is a digitally signed message part - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls
Hello, Thanks for your reply. I did recheck those permissions, they are 644 shouldn't have a problem reading them. These are also the same certs the storage and file daemons load, so i am confused. If i can provide any additional information let me know. Thanks. Dave. - Original Message - From: Landon Fuller [EMAIL PROTECTED] To: Dave [EMAIL PROTECTED] Cc: bacula-users@lists.sourceforge.net Sent: Thursday, October 18, 2007 5:23 PM Subject: Re: [Bacula-users] bacula and tls - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] [Bacula-devel] TLS - required/enabled
On Tuesday 05 September 2006 01:25, Dan Langille wrote: On 4 Sep 2006 at 17:42, Kern Sibbald wrote: On Monday 04 September 2006 16:53, Dan Langille wrote: I've found that TLS Require = yes stops comms from working. I needed TLS Enable = yes. This is with a 1.38.8 Director and a bacula-client-1.38.11_1. Does that make sense? With just TLS Require = yes and not TLS Enable = yes, I get: 04-Sep 10:45 bacula-dir: *Console*.2006-09-04_10.45.22 Fatal error: Authorization problem: Remote server did not advertise required TLS support. If I change to TLS Enable = yes, then the status command works. The bacula-fd.conf specifies: TLS Enable = yes TLS Require = yes If more details are required, I can provide them. That sounds perfectly logical to me. OK, then let me add to the equation. With this in the client resource on bacula-dir.conf: TLS Require= yes TLS Enable = yes And this in the bacula-fd.conf: TLS Enable = yes TLS Require = yes we get: Fatal error: Authorization problem: Remote server did not advertise required TLS support. When? What have you done, started the daemons? If I remove TLS Require= yes from bacula-dir.conf, status works just fine. Oh, so you are doing some Status command. From what (bconsole?), and what kind of status command? And what is defined in the bconsole (or whatever) conf file concerning TLS? - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] [Bacula-devel] TLS - required/enabled
On 4 Sep 2006 at 17:42, Kern Sibbald wrote: On Monday 04 September 2006 16:53, Dan Langille wrote: I've found that TLS Require = yes stops comms from working. I needed TLS Enable = yes. This is with a 1.38.8 Director and a bacula-client-1.38.11_1. Does that make sense? With just TLS Require = yes and not TLS Enable = yes, I get: 04-Sep 10:45 bacula-dir: *Console*.2006-09-04_10.45.22 Fatal error: Authorization problem: Remote server did not advertise required TLS support. If I change to TLS Enable = yes, then the status command works. The bacula-fd.conf specifies: TLS Enable = yes TLS Require = yes If more details are required, I can provide them. That sounds perfectly logical to me. OK, then let me add to the equation. With this in the client resource on bacula-dir.conf: TLS Require= yes TLS Enable = yes And this in the bacula-fd.conf: TLS Enable = yes TLS Require = yes we get: Fatal error: Authorization problem: Remote server did not advertise required TLS support. If I remove TLS Require= yes from bacula-dir.conf, status works just fine. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] bacula console tls
Hello,
I'm trying to get tls going on bacula 1.38.11. I've created and
installed keys via the howto at:
http://www.eclectica.ca/howto/ssl-cert-howto.php
This part went fine and the relevant portions of my config are below. I've
restarted the daemons and all worked fine, i did not get any errors. When i
atempted to connect with bconsole i got an authorization error:
#bconsole -c bconsole.conf
Connecting to Director zeus:9101
Authorization problem: Remote server requires TLS.
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for
help.
I've checked that location, and i've verified the names match. I'm running a
local dns server and have added an a record for the bacula entry. I'm
suspecting i have my tls options defined incorrectly.
Any help appreciated.
Thanks.
Dave.
# host bacula.example.com
bacula.example.com has address 192.168.0.3
bconsole.conf:
Director {
Name = bacula-dir
DIRport = 9101
address = bacula.example.com
Password = xxx
}
bacula-fd.conf:
#
# List Directors who are permitted to contact this File daemon
#
Director {
Name = bacula-dir
Password = xxx
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = bacula.example.com
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
bacula-sd.conf:
Storage { # definition of myself
Name = bacula-sd
SDPort = 9103 # Director's port
WorkingDirectory = /var/db/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Require = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate. It is used by connecting
# file daemons to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
#
# List Directors who are permitted to contact Storage daemon
#
Director {
Name = bacula-dir
Password = xxx
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = bacula.example.com
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
Device {
Name = FileStorage
Media Type = File
Archive Device = /backup/bacula
LabelMedia = yes; # lets Bacula label unlabeled media
Random Access = Yes;
AutomaticMount = yes; # when device opened, read it
RemovableMedia = no;
AlwaysOpen = no;
}
bacula-dir.conf:
Director {# define myself
Name = bacula-dir
DIRport = 9101# where we listen for UA connections
QueryFile = /usr/local/share/bacula/query.sql
WorkingDirectory = /var/db/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 3
Password = xxx
Messages = Daemon
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = [EMAIL PROTECTED]
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate
# used for incoming console connections from the first client
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
# Definition of file storage device
Storage {
Name = File
Address = bacula.example.com# N.B. Use a fully qualified
name here
SDPort = 9103
Password = xxx
Device = FileStorage
Media Type = File
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a client certificate, used by the director to
# connect to the storage daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
