Re: [Bacula-users] bacula TLS help
Hello, 2013/11/30 Tim Dunphy bluethu...@gmail.com [root@storage:/etc/bacula] #bconsole Connecting to Director storage.jokefire.com:9101 TLS negotiation failed Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION0026 for help. In my opinion which was confirmed by a Bacula support TLS with bconsole is not working (it has a some BUG inside). But TLS with FD or SD is working fine - I have a lot of TLS deployments of this kind. I hope this help. best regards -- Radosław Korzeniewski rados...@korzeniewski.net -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula TLS help
On 2013-11-29 19:20, Tim Dunphy wrote: On 2013-11-29 18:37, Tim Dunphy wrote: ... (and unfortunately I feel like I'm spinning in circles) Maybe you should try a different circle, like try stunnel? Not the worst idea I've heard. Or maybe sshuttle. Still would prefer to work out the Bacula approach, provided it doesn't cause way too many headaches! Given the problems with ssl in general and gneon implementation in particular, I'd prefer a stunnel, vpn, or ssh forward. Unless the requirement is to show a little padlock icon in the browser's status bar. cheers Dima -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula TLS help
On 2013-11-29 18:37, Tim Dunphy wrote: ... (and unfortunately I feel like I'm spinning in circles) Maybe you should try a different circle, like try stunnel? Dima -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula TLS help
On 2013-11-29 18:37, Tim Dunphy wrote: ... (and unfortunately I feel like I'm spinning in circles) Maybe you should try a different circle, like try stunnel? Not the worst idea I've heard. Or maybe sshuttle. Still would prefer to work out the Bacula approach, provided it doesn't cause way too many headaches! Tim Dima On Fri, Nov 29, 2013 at 7:51 PM, Dimitri Maziuk dmaz...@bmrb.wisc.eduwrote: On 2013-11-29 18:37, Tim Dunphy wrote: ... (and unfortunately I feel like I'm spinning in circles) Maybe you should try a different circle, like try stunnel? Dima -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula TLS help
HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to
create the cert without the email value??
/emailAddress=bluethu...@gmail.comhttp://storage.jokefire.com/emailAddress=bluethu...@gmail.com,
only CN=storage.jokefire.com.
Have you check too that these files:
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
belongs to bacula user ?
regards, I
2013/11/28 Tim Dunphy bluethu...@gmail.com
Hello Iban! And thank you for your reply.
I have a similar configuration. I think that the problem is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
This is my director configuration from bacula-dir.conf
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
I hope I got you right in that this was what you needed to know.
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=X, O=, OU=Computing Department, CN=
bacula.example.org
openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text
Subject: C=US, ST=X, L=, O= LLC, OU=Ops, CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com
[root@storage:~] #hostname -f
storage.jokefire.com
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
It appears as if the DirAddress and the common name do agree. Might there
be something else I could have missed?
Thanks
Tim
On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo cabri...@ifca.unican.eswrote:
Hi Tim,
I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=X, O=, OU=Computing Department, CN=
bacula.example.org
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
Regards, I
2013/11/27 Tim Dunphy bluethu...@gmail.com
Hello all,
I'm trying to add TLS encryption to my bacula setup.
I've been following this guide which got me almost all of the way there:
http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
I modified the following sections in my bacula-dir.conf file:
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = secret # password for FileDaemon
File Retention = 14 days# 14 days
Job Retention = 14d# 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
And in my bacula-fd.conf
Director {
Name = storage.jokefire.com
Password = secret
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key =
Re: [Bacula-users] bacula TLS help
Hi Iban,
HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to
create the cert without the email value??
/emailAddress=bluethu...@gmail.comhttp://storage.jokefire.com/emailAddress=bluethu...@gmail.com,
only CN=storage.jokefire.com.
Have you check too that these files:
/etc/pki/tls/certs/storage.
jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
belongs to bacula user ?
regards, I
I was able to recreate the cert without the email address and ensure that
the files were owned by the bacula user:
[root@storage:~/bacula-certs-new] #ls -l
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
/etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53
/etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54
/etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54
/etc/pki/tls/private/storage.jokefire.com.key
You have mail in /var/spool/mail/root
And this is what the Subject line of the key file looks like now:
openssl x509 -in /etc/pki/tls/certs/storage.j
okefire.com.crt -noout -text
Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef
ire.com
Once again all services bounce cleanly.
However when I go into bconsole this is what I find:
[root@storage:~/bacula-certs-new] #bconsole
Connecting to Director storage.jokefire.com:9101
28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate at
depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com,
subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self
signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION0026for
help.
Passwords have not been changed from the working configs, which have been
in place and working for several months now.
Any further thoughts?
Many thanks and I hope you are enjoying your holiday!
Tim
On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo cabri...@ifca.unican.eswrote:
HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to
create the cert without the email value??
/emailAddress=bluethu...@gmail.comhttp://storage.jokefire.com/emailAddress=bluethu...@gmail.com,
only CN=storage.jokefire.com.
Have you check too that these files:
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
belongs to bacula user ?
regards, I
2013/11/28 Tim Dunphy bluethu...@gmail.com
Hello Iban! And thank you for your reply.
I have a similar configuration. I think that the problem is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
This is my director configuration from bacula-dir.conf
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
I hope I got you right in that this was what you needed to know.
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=X, O=, OU=Computing Department, CN=
bacula.example.org
openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text
Subject: C=US, ST=X, L=, O= LLC, OU=Ops, CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com
[root@storage:~] #hostname -f
storage.jokefire.com
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
It appears as if the DirAddress and the common name do agree. Might there
be something else I could have missed?
Thanks
Tim
On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo
cabri...@ifca.unican.eswrote:
Hi Tim,
I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress =
Re: [Bacula-users] bacula TLS help
Hi Tim! Hi Iban!
Maybe the problem is in using TLS Verify Peer = yes with self-signed
certificates. I found in
http://www.bacula.org/manuals/en/concepts/concepts/Bacula_TLS_Communication.html
:
*TLS Verify Peer = yes|no*Verify peer certificate. Instructs server to
request and verify the client's x509 certificate. Any client certificate
signed by a known-CA will be accepted unless the TLS Allowed CN
configuration directive is used, in which case the client certificate must
correspond to the Allowed Common Name specified. This directive is valid
only for a server and not in a client context.
*bacula-sd.conf*
Storage { # definition of myself
...
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
...
}
A time ago I configured a test environment with TLS and I remember
using TLS Verify Peer = no because of the self-signed certificates.
I think you can use TLS Verify Peer = yes combined with:
*TLS Allowed CN = string list*
Common name attribute of allowed peer certificates. If this directive is
specified, all server certificates will be verified against this list. This
can be used to ensure that only the CA-approved Director may connect. This
directive may be specified more than once.
Best regards,
Ana
On Thu, Nov 28, 2013 at 4:07 PM, Tim Dunphy bluethu...@gmail.com wrote:
Hi Iban,
HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to
create the cert without the email value??
/emailAddress=bluethu...@gmail.comhttp://storage.jokefire.com/emailAddress=bluethu...@gmail.com,
only CN=storage.jokefire.com.
Have you check too that these files:
/etc/pki/tls/certs/storage.
jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
belongs to bacula user ?
regards, I
I was able to recreate the cert without the email address and ensure that
the files were owned by the bacula user:
[root@storage:~/bacula-certs-new] #ls -l
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
/etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53
/etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54
/etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54
/etc/pki/tls/private/storage.jokefire.com.key
You have mail in /var/spool/mail/root
And this is what the Subject line of the key file looks like now:
openssl x509 -in /etc/pki/tls/certs/storage.j
okefire.com.crt -noout -text
Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef
ire.com
Once again all services bounce cleanly.
However when I go into bconsole this is what I find:
[root@storage:~/bacula-certs-new] #bconsole
Connecting to Director storage.jokefire.com:9101
28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate at
depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com,
subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com,
ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION0026for
help.
Passwords have not been changed from the working configs, which have been
in place and working for several months now.
Any further thoughts?
Many thanks and I hope you are enjoying your holiday!
Tim
On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo cabri...@ifca.unican.eswrote:
HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to
create the cert without the email value??
/emailAddress=bluethu...@gmail.comhttp://storage.jokefire.com/emailAddress=bluethu...@gmail.com,
only CN=storage.jokefire.com.
Have you check too that these files:
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
belongs to bacula user ?
regards, I
2013/11/28 Tim Dunphy bluethu...@gmail.com
Hello Iban! And thank you for your reply.
I have a similar configuration. I think that the problem is in the
CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
This is my director configuration from bacula-dir.conf
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA
Re: [Bacula-users] bacula TLS help
Hi Tim,
I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=X, O=, OU=Computing Department, CN=
bacula.example.org
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
Regards, I
2013/11/27 Tim Dunphy bluethu...@gmail.com
Hello all,
I'm trying to add TLS encryption to my bacula setup.
I've been following this guide which got me almost all of the way there:
http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
I modified the following sections in my bacula-dir.conf file:
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = secret # password for FileDaemon
File Retention = 14 days# 14 days
Job Retention = 14d# 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
And in my bacula-fd.conf
Director {
Name = storage.jokefire.com
Password = secret
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
FileDaemon { # this is me
Name = storage.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
In bacula-sd.conf:
Storage { # definition of myself
Name = storage.jokefire.com
SDPort = 9103 # Director's port
WorkingDirectory = /var/spool/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
And finally in bconsole.conf:
Director {
Name = storage.jokefire.com
DIRport = 9101
address = storage.jokefire.com
Password = secret
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
Then I bounced the services so all seems well at this point:
[root@storage:/etc/bacula] #bounce-bacula
Stopping Bacula Storage services: [ OK ]
Starting Bacula Storage services: [ OK ]
Stopping Bacula File services: [ OK ]
Starting Bacula File services: [ OK ]
Stopping Bacula Director services: [ OK ]
Starting Bacula Director services: [ OK ]
(wrote a script to bounce all services because I'm lazy)
But when I go into bconsole I get the following (until I restore from
backup)
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
Re: [Bacula-users] bacula TLS help
Hello Iban! And thank you for your reply.
I have a similar configuration. I think that the problem is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
This is my director configuration from bacula-dir.conf
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
I hope I got you right in that this was what you needed to know.
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=X, O=, OU=Computing Department, CN=
bacula.example.org
openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text
Subject: C=US, ST=X, L=, O= LLC, OU=Ops, CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com
[root@storage:~] #hostname -f
storage.jokefire.com
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
It appears as if the DirAddress and the common name do agree. Might there
be something else I could have missed?
Thanks
Tim
On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo cabri...@ifca.unican.eswrote:
Hi Tim,
I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=X, O=, OU=Computing Department, CN=
bacula.example.org
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
Regards, I
2013/11/27 Tim Dunphy bluethu...@gmail.com
Hello all,
I'm trying to add TLS encryption to my bacula setup.
I've been following this guide which got me almost all of the way there:
http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
I modified the following sections in my bacula-dir.conf file:
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = secret # password for FileDaemon
File Retention = 14 days# 14 days
Job Retention = 14d# 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
And in my bacula-fd.conf
Director {
Name = storage.jokefire.com
Password = secret
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
FileDaemon { # this is me
Name = storage.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key =
[Bacula-users] bacula TLS help
Hello all,
I'm trying to add TLS encryption to my bacula setup.
I've been following this guide which got me almost all of the way there:
http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
I modified the following sections in my bacula-dir.conf file:
Director {# define myself
Name = storage.jokefire.com
DIRport = 9101# where we listen for UA connections
QueryFile = /etc/bacula/query.sql
WorkingDirectory = /var/spool/bacula
PidDirectory = /var/run
Maximum Concurrent Jobs = 1
Password = secret # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = secret # password for FileDaemon
File Retention = 14 days# 14 days
Job Retention = 14d# 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
And in my bacula-fd.conf
Director {
Name = storage.jokefire.com
Password = secret
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
FileDaemon { # this is me
Name = storage.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
In bacula-sd.conf:
Storage { # definition of myself
Name = storage.jokefire.com
SDPort = 9103 # Director's port
WorkingDirectory = /var/spool/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
And finally in bconsole.conf:
Director {
Name = storage.jokefire.com
DIRport = 9101
address = storage.jokefire.com
Password = secret
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
Then I bounced the services so all seems well at this point:
[root@storage:/etc/bacula] #bounce-bacula
Stopping Bacula Storage services: [ OK ]
Starting Bacula Storage services: [ OK ]
Stopping Bacula File services: [ OK ]
Starting Bacula File services: [ OK ]
Stopping Bacula Director services: [ OK ]
Starting Bacula Director services: [ OK ]
(wrote a script to bounce all services because I'm lazy)
But when I go into bconsole I get the following (until I restore from
backup)
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
/C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self signed
certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION0026for
help.
I've saved my work with TLS so I'm eager to get this going. I used the
following guide to generating the certs, and I'm wondering if the problem
could possibly be in the way I generated the certs?
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
Thanks for any and all advice!
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
