From: Tim D. <blu...@gm...> - 2013-11-29 20:30:45
|
Hello Ana and Iban, Nice to meet you too and you´re welcome :) > Thanks! :) > You are having problem in TLS communication between bconsole and director. > I suggest you to remove all the other TLS configuration (client, storage) > and try to resolve this one first. When I tried this configuration, I > remember doing that: TLS between director and bconsole, TLS between > director and client, and so on. > Ok, well I took your advice and commented out the TLS configuration in the client section of bacula-dir, and commented it out entirely of the bacula-sd and bacula-fd configuration files. After bouncing the services again and going into bconsole I get the same error: [root@storage:/etc/bacula] #bconsole Connecting to Director storage.jokefire.com:910129-Nov 15:06 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, ERR=18:self signed certificate TLS negotiation failed Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help. I don´t know if this could be an issue, but your certificate have OU issuer > different from OU subject: > I'm actually not obscuring the rest of the cert data this time around. So you can see that the apparent disparity to which you refer was actually a mistake on my part in obscuring the data. However I don't see anything too threatening in revealing the info here. [root@storage:/etc/bacula] #openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject | grep -i -v -e public Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=storage.jokefire.com Looks like it agrees to me! So there shouldn't be a disparity of this nature causing the error I assume. And in your bacula-sd.conf, also remove or set it to no: "TLS Verify Peer =yes". > I did try a bounce with this change in place, and it made no difference here either. I got the same exact error. > I do not know which is you bacula version, but in the bconsole > configuration file , i have the address value pointing to "directors > machine name": > I do not know how to check the bacula version other than that of bconsole which is: Version: 5.2.13 (19 February 2013) x86_64-unknown-linux-gnu redhat And I don't see any disparity between the director listed in the bacula-dir file and in the bconsole bacula-dir.conf Director { # define myself Name = storage.jokefire.com bconsole.conf Director { Name = storage.jokefire.com Really i do not see any other problem. > Interesting to know! > > Have you check the firewall?? > > Well, on my first attempt I am merely trying to backup only the localhost. I know that there are two different names listed here (storage.jokefire.comand ops.jokefire.com) but these are merely two different DNS names for the same host. So the firewall shouldn't come into play here. Plus the fact that this is an EC2 host and I mange the firewall with AWS Security Groups and leave IPTables turned off. But I wonder if that could also be another problem? Tho I don't see it being part of the problem I'm having with getting bacula to agree with it's own TLS configuration. I really hope that the problem we're having here isn't centered around my using self-signed certs. I'd hate to shell out for a commercial one, especially as I consider the commercial cert business to be sort of a scam. Thanks! Tim On Fri, Nov 29, 2013 at 2:41 PM, Iban Cabrillo <cab...@if...>wrote: > Hi Tim, Ana, > > I do not know which is you bacula version, but in the bconsole > configuration file , i have the address value pointing to "directors > machine name": > > Director { > Name = localhost-dir > DIRport = 9101 > address = bacula.example.org > Password = "somesecret" > > TLS Enable = yes > TLS Require = yes > TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt > TLS Certificate = /etc/bacula/certs/cert/bacula.crt > TLS Key = /etc/bacula/certs/key/bacula.key > } > Really i do not see any other problem. > Have you check the firewall?? > > Regards, I > > > > 2013/11/29 Ana Emília M. Arruda <emi...@gm...> > > Hi Tim, >> >> Nice to meet you too and you´re welcome :) >> You are having problem in TLS communication between bconsole and director. >> I suggest you to remove all the other TLS configuration (client, storage) >> and try to resolve this one first. When I tried this configuration, I >> remember doing that: TLS between director and bconsole, TLS between >> director and client, and so on. >> I don´t know if this could be an issue, but your certificate have OU >> issuer different from OU subject: >> >> issuer = /C=US/ST=XX/L=XX/O=XX/*OU=XXX*/CN=storage.jokefire.com, subject >> = /C=US/ST=XX/L=XX/O=XX/*OU=XX*/CN=storage.jokefire.com >> >> And in your bacula-sd.conf, also remove or set it to no: "TLS Verify >> Peer = yes". >> >> Regards, >> Ana >> >> >> On Fri, Nov 29, 2013 at 3:16 PM, Tim Dunphy <blu...@gm...> wrote: >> >>> Hello Ana, >>> >>> Nice to meet you and thank you for your input as well. >>> >>> Well I tried your suggestion and unfortunately I haven't had any more >>> luck than with Iban's. >>> >>> Here, for reference, are my TLS configs again. >>> >>> *bacula-dir.conf* >>> Director { # define myself >>> Name = storage.jokefire.com >>> DIRport = 9101 # where we listen for UA connections >>> QueryFile = "/etc/bacula/query.sql" >>> WorkingDirectory = "/var/spool/bacula" >>> PidDirectory = "/var/run" >>> Maximum Concurrent Jobs = 1 >>> Password = "secret" # Console password >>> Messages = Daemon >>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>> TLS Enable = yes >>> TLS Require = >>> yes >>> TLS Verify Peer = no} >>> # Client (File Services) to backup >>> >>> >>> >>> Client { >>> Name = ops.jokefire.com >>> Address = ops.jokefire.com >>> FDPort = 9102 >>> Catalog = JokefireCatalog >>> Password = "secret" # password for FileDaemon >>> File Retention = 14 days # 14 days >>> Job Retention = 14d # 14 days >>> AutoPrune = yes # Prune expired Jobs/Files >>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>> TLS Enable = yes >>> TLS Require = yes} >>> (testing with just one client until I get this sorted out) >>> >>> >>> >>> >>> Director { >>> Name = storage.jokefire.com >>> Password = "secret" >>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>> TLS Enable = yes >>> TLS Require = yes} >>> >>> FileDaemon { # this is me >>> Name = storage.jokefire.com >>> FDport = 9102 # where we listen for the director >>> WorkingDirectory = /var/bacula >>> Pid Directory = /var/run >>> Maximum Concurrent Jobs = 20 >>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>> TLS Enable = yes >>> TLS Require = yes} >>> *bacula-sd.conf* >>> >>> Storage { # definition of myself >>> Name = storage.jokefire.com >>> SDPort = 9103 # Director's port >>> WorkingDirectory = "/var/spool/bacula" >>> Pid Directory = "/var/run" >>> Maximum Concurrent Jobs = 20 >>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>> TLS Enable = yes >>> TLS Require = yes >>> TLS Verify Peer = yes} >>> *bconsole.conf* >>> >>> Director { >>> Name = storage.jokefire.com >>> DIRport = 9101 >>> address = storage.jokefire.com >>> Password = "secret" >>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>> TLS Enable = yes >>> TLS Require = yes} >>> And the permissions on the cert files appears to be correct: >>> >>> -rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 /etc/pki/CA/certs/rootBaculaCA.pem-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 /etc/pki/tls/certs/storage.jokefire.com.crt-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 /etc/pki/tls/private/storage.jokefire.com.key >>> >>> >>> And the services bounce without any complaint: >>> >>> [root@storage:~] #bounce-bacula >>> Stopping Bacula Storage services: [ OK ] >>> Starting Bacula Storage services: [ OK ] >>> Stopping Bacula File services: [ OK ] >>> Starting Bacula File services: [ OK ] >>> Stopping Bacula Director services: [ OK ] >>> Starting Bacula Director services: [ OK ] >>> >>> Yet the same error as before is produced: >>> >>> [root@storage:~] #bconsole >>> Connecting to Director storage.jokefire.com:910129-Nov 13:08 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XXX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self signed certificate >>> TLS negotiation failed >>> Director authorization problem. >>> >>> Most likely the passwords do not agree. >>> If you are using TLS, there may have been a certificate validation error during the TLS handshake. >>> Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help. >>> >>> >>> And I see that the subject line from the cert agrees with the error that >>> I'm seeing in Bacula. >>> >>> #openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject | grep -i -v -e public >>> Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokefire.com >>> >>> Looking forward to coming to some sort of resolution with this, it's >>> been days and days that I've been working on it. And I certainly appreciate >>> everyone's help and input. >>> >>> Best, >>> Tim >>> >>> >>> >>> On Thu, Nov 28, 2013 at 2:55 PM, Ana Emília M. Arruda < >>> emi...@gm...> wrote: >>> >>>> Hi Tim! Hi Iban! >>>> >>>> Maybe the problem is in using "TLS Verify Peer = yes" with self-signed >>>> certificates. I found in >>>> http://www.bacula.org/manuals/en/concepts/concepts/Bacula_TLS_Communication.html >>>> : >>>> >>>> >>>> *TLS Verify Peer = <yes|no>* Verify peer certificate. Instructs server >>>> to request and verify the client's x509 certificate. Any client certificate >>>> signed by a known-CA will be accepted unless the TLS Allowed CN >>>> configuration directive is used, in which case the client certificate must >>>> correspond to the Allowed Common Name specified. This directive is valid >>>> only for a server and not in a client context. >>>> >>>> *bacula-sd.conf* >>>> >>>> Storage { # definition of myself >>>> >>>> ... >>>> >>>> # Peer certificate is not required/requested -- peer validity >>>> # is verified by the storage connection cookie provided to the >>>> # File Daemon by the director. >>>> TLS Verify Peer = no >>>> >>>> ... >>>> >>>> } >>>> >>>> A time ago I configured a test environment with TLS and I remember using "TLS Verify Peer = no" because of the self-signed certificates. >>>> >>>> >>>> >>>> I think you can use "TLS Verify Peer = yes" combined with: >>>> >>>> *TLS Allowed CN = <string list>* >>>> >>>> >>>> Common name attribute of allowed peer certificates. If this directive >>>> is specified, all server certificates will be verified against this list. >>>> This can be used to ensure that only the CA-approved Director may connect. >>>> This directive may be specified more than once. >>>> >>>> >>>> Best regards, >>>> Ana >>>> >>>> >>>> >>>> On Thu, Nov 28, 2013 at 4:07 PM, Tim Dunphy <blu...@gm...>wrote: >>>> >>>>> Hi Iban, >>>>> >>>>> HI Tim, >>>>>> I was pretty sure that the trouble was on the CN, could you tray to >>>>>> create the cert without the email value?? >>>>>> /emailAddress=blu...@gm...<http://storage.jokefire.com/emailAddress=blu...@gm...>, >>>>>> only CN=storage.jokefire.com. >>>>>> >>>>>> Have you check too that these files: >>>>>> >>>>>> /etc/pki/tls/certs/storage. >>>>>> jokefire.com.crt >>>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>>> >>>>>> belongs to bacula user ? >>>>>> >>>>>> regards, I >>>>>> >>>>> >>>>> >>>>> I was able to recreate the cert without the email address and ensure >>>>> that the files were owned by the bacula user: >>>>> >>>>> [root@storage:~/bacula-certs-new] #ls -l >>>>> /etc/pki/tls/certs/storage.jokefire.com.crt >>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>> /etc/pki/CA/certs/rootBaculaCA.pem >>>>> -rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 >>>>> /etc/pki/CA/certs/rootBaculaCA.pem >>>>> -rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 >>>>> /etc/pki/tls/certs/storage.jokefire.com.crt >>>>> -rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 >>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>> You have mail in /var/spool/mail/root >>>>> >>>>> >>>>> And this is what the Subject line of the key file looks like now: >>>>> >>>>> openssl x509 -in /etc/pki/tls/certs/storage.j >>>>> okefire.com.crt -noout -text >>>>> >>>>> Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef >>>>> ire.com >>>>> >>>>> Once again all services bounce cleanly. >>>>> >>>>> However when I go into bconsole this is what I find: >>>>> >>>>> [root@storage:~/bacula-certs-new] #bconsole >>>>> Connecting to Director storage.jokefire.com:9101 >>>>> 28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate >>>>> at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN= >>>>> storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN= >>>>> storage.jokefire.com, ERR=18:self signed certificate >>>>> TLS negotiation failed >>>>> Director authorization problem. >>>>> Most likely the passwords do not agree. >>>>> If you are using TLS, there may have been a certificate validation >>>>> error during the TLS handshake. >>>>> Please see >>>>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for help. >>>>> >>>>> >>>>> Passwords have not been changed from the working configs, which have >>>>> been in place and working for several months now. >>>>> >>>>> Any further thoughts? >>>>> >>>>> Many thanks and I hope you are enjoying your holiday! >>>>> >>>>> Tim >>>>> >>>>> >>>>> On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo < >>>>> cab...@if...> wrote: >>>>> >>>>>> HI Tim, >>>>>> I was pretty sure that the trouble was on the CN, could you tray to >>>>>> create the cert without the email value?? >>>>>> /emailAddress=blu...@gm...<http://storage.jokefire.com/emailAddress=blu...@gm...>, >>>>>> only CN=storage.jokefire.com. >>>>>> >>>>>> Have you check too that these files: >>>>>> >>>>>> /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>>> >>>>>> belongs to bacula user ? >>>>>> >>>>>> regards, I >>>>>> >>>>>> >>>>>> 2013/11/28 Tim Dunphy <blu...@gm...> >>>>>> >>>>>>> Hello Iban! And thank you for your reply. >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I have a similar configuration. I think that the problem is in >>>>>>>> the CN: >>>>>>>> CN=storage.jokefire.com/emailAddress=blu...@gm... >>>>>>>> >>>>>>>> >>>>>>>> please could you show the value for DirAddress = >>>>>>>> bacula.example.org >>>>>>>> >>>>>>>> in my case: >>>>>>>> >>>>>>>> DirAddress = bacula.example.org >>>>>>>> >>>>>>>> TLS Enable = yes >>>>>>>> TLS Require = yes >>>>>>>> TLS Verify Peer = no >>>>>>>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt >>>>>>>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt >>>>>>>> TLS Key = /etc/bacula/certs/key/bacula.key >>>>>>>> >>>>>>>> >>>>>>> This is my director configuration from bacula-dir.conf >>>>>>> >>>>>>> >>>>>>> Director { # define myself >>>>>>> Name = storage.jokefire.com >>>>>>> DIRport = 9101 # where we listen for UA connections >>>>>>> QueryFile = "/etc/bacula/query.sql" >>>>>>> WorkingDirectory = "/var/spool/bacula" >>>>>>> PidDirectory = "/var/run" >>>>>>> Maximum Concurrent Jobs = 1 >>>>>>> Password = "secret" # Console password >>>>>>> Messages = Daemon >>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>> TLS Enable = yes >>>>>>> TLS Require = yes >>>>>>> TLS Verify Peer = yes >>>>>>> } >>>>>>> >>>>>>> >>>>>>> I hope I got you right in that this was what you needed to know. >>>>>>> >>>>>>> >>>>>>>> Looking at the cert: >>>>>>>> >>>>>>>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text >>>>>>>> >>>>>>>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN= >>>>>>>> bacula.example.org >>>>>>>> >>>>>>> >>>>>>> openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout >>>>>>> -text >>>>>>> >>>>>>> Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN= >>>>>>> storage.jokefire.com/emailAddress=blu...@gm... >>>>>>> >>>>>>> [root@storage:~] #hostname -f >>>>>>> storage.jokefire.com >>>>>>> >>>>>>> >>>>>>> >>>>>>>> The CN must be the sme that DirAddress (I did not use email address >>>>>>>> for cert sign) >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> It appears as if the DirAddress and the common name do agree. Might >>>>>>> there be something else I could have missed? >>>>>>> >>>>>>> Thanks >>>>>>> Tim >>>>>>> >>>>>>> >>>>>>> On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo < >>>>>>> cab...@if...> wrote: >>>>>>> >>>>>>>> Hi Tim, >>>>>>>> I have a similar configuration. I think that the proble is in the >>>>>>>> CN: >>>>>>>> CN=storage.jokefire.com/emailAddress=blu...@gm... >>>>>>>> >>>>>>>> >>>>>>>> please could you show the value for DirAddress = >>>>>>>> bacula.example.org >>>>>>>> >>>>>>>> in my case: >>>>>>>> >>>>>>>> DirAddress = bacula.example.org >>>>>>>> >>>>>>>> TLS Enable = yes >>>>>>>> TLS Require = yes >>>>>>>> TLS Verify Peer = no >>>>>>>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt >>>>>>>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt >>>>>>>> TLS Key = /etc/bacula/certs/key/bacula.key >>>>>>>> >>>>>>>> Looking at the cert: >>>>>>>> >>>>>>>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text >>>>>>>> >>>>>>>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN= >>>>>>>> bacula.example.org >>>>>>>> >>>>>>>> The CN must be the sme that DirAddress (I did not use email address >>>>>>>> for cert sign) >>>>>>>> >>>>>>>> Regards, I >>>>>>>> >>>>>>>> >>>>>>>> 2013/11/27 Tim Dunphy <blu...@gm...> >>>>>>>> >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> >>>>>>>>> I'm trying to add TLS encryption to my bacula setup. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I've been following this guide which got me almost all of the way >>>>>>>>> there: >>>>>>>>> >>>>>>>>> >>>>>>>>> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/ >>>>>>>>> >>>>>>>>> >>>>>>>>> I modified the following sections in my bacula-dir.conf file: >>>>>>>>> >>>>>>>>> >>>>>>>>> Director { # define myself >>>>>>>>> >>>>>>>>> Name = storage.jokefire.com >>>>>>>>> >>>>>>>>> DIRport = 9101 # where we listen for UA >>>>>>>>> connections >>>>>>>>> >>>>>>>>> QueryFile = "/etc/bacula/query.sql" >>>>>>>>> >>>>>>>>> WorkingDirectory = "/var/spool/bacula" >>>>>>>>> >>>>>>>>> PidDirectory = "/var/run" >>>>>>>>> >>>>>>>>> Maximum Concurrent Jobs = 1 >>>>>>>>> >>>>>>>>> Password = "secret" # Console password >>>>>>>>> >>>>>>>>> Messages = Daemon >>>>>>>>> >>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>> >>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>> >>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> >>>>>>>>> TLS Require = yes >>>>>>>>> >>>>>>>>> TLS Verify Peer = yes >>>>>>>>> >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> Client { >>>>>>>>> >>>>>>>>> Name = ops.jokefire.com >>>>>>>>> >>>>>>>>> Address = ops.jokefire.com >>>>>>>>> >>>>>>>>> FDPort = 9102 >>>>>>>>> >>>>>>>>> Catalog = JokefireCatalog >>>>>>>>> >>>>>>>>> Password = "secret" # password for FileDaemon >>>>>>>>> >>>>>>>>> File Retention = 14 days # 14 days >>>>>>>>> >>>>>>>>> Job Retention = 14d # 14 days >>>>>>>>> >>>>>>>>> AutoPrune = yes # Prune expired Jobs/Files >>>>>>>>> >>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>> >>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>> >>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> >>>>>>>>> TLS Require = yes >>>>>>>>> >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> And in my bacula-fd.conf >>>>>>>>> >>>>>>>>> >>>>>>>>> Director { >>>>>>>>> >>>>>>>>> Name = storage.jokefire.com >>>>>>>>> >>>>>>>>> Password = "secret" >>>>>>>>> >>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>> >>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>> >>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> >>>>>>>>> TLS Require = yes >>>>>>>>> >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> FileDaemon { # this is me >>>>>>>>> >>>>>>>>> Name = storage.jokefire.com >>>>>>>>> >>>>>>>>> FDport = 9102 # where we listen for the director >>>>>>>>> >>>>>>>>> WorkingDirectory = /var/bacula >>>>>>>>> >>>>>>>>> Pid Directory = /var/run >>>>>>>>> >>>>>>>>> Maximum Concurrent Jobs = 20 >>>>>>>>> >>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>> >>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>> >>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> >>>>>>>>> TLS Require = yes >>>>>>>>> >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> In bacula-sd.conf: >>>>>>>>> >>>>>>>>> >>>>>>>>> Storage { # definition of myself >>>>>>>>> >>>>>>>>> Name = storage.jokefire.com >>>>>>>>> >>>>>>>>> SDPort = 9103 # Director's port >>>>>>>>> >>>>>>>>> WorkingDirectory = "/var/spool/bacula" >>>>>>>>> >>>>>>>>> Pid Directory = "/var/run" >>>>>>>>> >>>>>>>>> Maximum Concurrent Jobs = 20 >>>>>>>>> >>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>> >>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>> >>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> >>>>>>>>> TLS Require = yes >>>>>>>>> >>>>>>>>> TLS Verify Peer = yes >>>>>>>>> >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> And finally in bconsole.conf: >>>>>>>>> >>>>>>>>> >>>>>>>>> Director { >>>>>>>>> >>>>>>>>> Name = storage.jokefire.com >>>>>>>>> >>>>>>>>> DIRport = 9101 >>>>>>>>> >>>>>>>>> address = storage.jokefire.com >>>>>>>>> >>>>>>>>> Password = "secret" >>>>>>>>> >>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>> >>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>> >>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> >>>>>>>>> TLS Require = yes >>>>>>>>> >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> Then I bounced the services so all seems well at this point: >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@storage:/etc/bacula] #bounce-bacula >>>>>>>>> >>>>>>>>> Stopping Bacula Storage services: [ OK ] >>>>>>>>> >>>>>>>>> Starting Bacula Storage services: [ OK ] >>>>>>>>> >>>>>>>>> Stopping Bacula File services: [ OK ] >>>>>>>>> >>>>>>>>> Starting Bacula File services: [ OK ] >>>>>>>>> >>>>>>>>> Stopping Bacula Director services: [ OK ] >>>>>>>>> >>>>>>>>> Starting Bacula Director services: [ OK ] >>>>>>>>> >>>>>>>>> >>>>>>>>> (wrote a script to bounce all services because I'm lazy) >>>>>>>>> >>>>>>>>> >>>>>>>>> But when I go into bconsole I get the following (until I restore >>>>>>>>> from backup) >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@storage:/etc/bacula] #bconsole >>>>>>>>> >>>>>>>>> Connecting to Director storage.jokefire.com:9101 >>>>>>>>> >>>>>>>>> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with >>>>>>>>> certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire >>>>>>>>> LLC/OU=Ops/CN= >>>>>>>>> storage.jokefire.com/emailAddress=blu...@gm..., subject = >>>>>>>>> /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN= >>>>>>>>> storage.jokefire.com/emailAddress=blu...@gm..., >>>>>>>>> ERR=18:self signed certificate >>>>>>>>> >>>>>>>>> TLS negotiation failed >>>>>>>>> >>>>>>>>> Director authorization problem. >>>>>>>>> >>>>>>>>> Most likely the passwords do not agree. >>>>>>>>> >>>>>>>>> If you are using TLS, there may have been a certificate validation >>>>>>>>> error during the TLS handshake. >>>>>>>>> >>>>>>>>> Please see >>>>>>>>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for help. >>>>>>>>> >>>>>>>>> >>>>>>>>> I've saved my work with TLS so I'm eager to get this going. I used >>>>>>>>> the following guide to generating the certs, and I'm wondering if the >>>>>>>>> problem could possibly be in the way I generated the certs? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks for any and all advice! >>>>>>>>> >>>>>>>>> >>>>>>>>> Tim >>>>>>>>> >>>>>>>>> -- >>>>>>>>> GPG me!! >>>>>>>>> >>>>>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> Rapidly troubleshoot problems before they affect your business. >>>>>>>>> Most IT >>>>>>>>> organizations don't have a clear picture of how application >>>>>>>>> performance >>>>>>>>> affects their revenue. With AppDynamics, you get 100% visibility >>>>>>>>> into your >>>>>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>>>>>>> AppDynamics Pro! >>>>>>>>> >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>>>>>>> _______________________________________________ >>>>>>>>> Bacula-users mailing list >>>>>>>>> Bac...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> #################################### >>>>>>>> Iban Cabrillo Bartolome >>>>>>>> Instituto de Fisica de Cantabria (IFCA) >>>>>>>> Santander, Spain >>>>>>>> Tel: +34942200969 >>>>>>>> #################################### >>>>>>>> Bertrand Russell: >>>>>>>> *"El problema con el mundo es que los estúpidos están seguros de >>>>>>>> todo y los inteligentes están llenos de dudas*" >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> GPG me!! >>>>>>> >>>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> #################################### >>>>>> Iban Cabrillo Bartolome >>>>>> Instituto de Fisica de Cantabria (IFCA) >>>>>> Santander, Spain >>>>>> Tel: +34942200969 >>>>>> #################################### >>>>>> Bertrand Russell: >>>>>> *"El problema con el mundo es que los estúpidos están seguros de todo >>>>>> y los inteligentes están llenos de dudas*" >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> GPG me!! >>>>> >>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Rapidly troubleshoot problems before they affect your business. Most IT >>>>> organizations don't have a clear picture of how application performance >>>>> affects their revenue. With AppDynamics, you get 100% visibility into >>>>> your >>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>>> AppDynamics Pro! >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> Bacula-users mailing list >>>>> Bac...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users >>>>> >>>>> >>>> >>> >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> >>> >> > > > -- > #################################### > Iban Cabrillo Bartolome > Instituto de Fisica de Cantabria (IFCA) > Santander, Spain > Tel: +34942200969 > #################################### > Bertrand Russell: > *"El problema con el mundo es que los estúpidos están seguros de todo y > los inteligentes están llenos de dudas*" > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B |