From: Ana E. M. A. <emi...@gm...> - 2013-11-29 20:52:32
|
Hi Tim! Can you check this http://bacula.10910.n7.nabble.com/bacula-and-tls-Can-t-get-that-working-td44677.html ? Regards, Ana On Fri, Nov 29, 2013 at 5:30 PM, Tim Dunphy <blu...@gm...> wrote: > Hello Ana and Iban, > > > Nice to meet you too and you´re welcome :) >> > > Thanks! :) > > >> You are having problem in TLS communication between bconsole and director. >> I suggest you to remove all the other TLS configuration (client, storage) >> and try to resolve this one first. When I tried this configuration, I >> remember doing that: TLS between director and bconsole, TLS between >> director and client, and so on. >> > > Ok, well I took your advice and commented out the TLS configuration in the > client section of bacula-dir, and commented it out entirely of the > bacula-sd and bacula-fd configuration files. After bouncing the services > again and going into bconsole I get the same error: > > [root@storage:/etc/bacula] #bconsole > Connecting to Director storage.jokefire.com:9101 > 29-Nov 15:06 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, ERR=18:self signed certificate > TLS negotiation failed > Director authorization problem. > > Most likely the passwords do not agree. > If you are using TLS, there may have been a certificate validation error during the TLS handshake. > Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help. > > > I don´t know if this could be an issue, but your certificate have OU >> issuer different from OU subject: >> > > I'm actually not obscuring the rest of the cert data this time around. So > you can see that the apparent disparity to which you refer was actually a > mistake on my part in obscuring the data. However I don't see anything too > threatening in revealing the info here. > > [root@storage:/etc/bacula] #openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject | grep -i -v -e public Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=storage.jokefire.com > > > Looks like it agrees to me! So there shouldn't be a disparity of this > nature causing the error I assume. > > > And in your bacula-sd.conf, also remove or set it to no: "TLS Verify Peer >> = yes". >> > > I did try a bounce with this change in place, and it made no difference > here either. I got the same exact error. > > > >> I do not know which is you bacula version, but in the bconsole >> configuration file , i have the address value pointing to "directors >> machine name": >> > > I do not know how to check the bacula version other than that of bconsole > which is: > > Version: 5.2.13 (19 February 2013) x86_64-unknown-linux-gnu redhat > > And I don't see any disparity between the director listed in the bacula-dir file and in the bconsole > > > bacula-dir.conf > > > Director { # define myself > Name = storage.jokefire. > com > > > bconsole.conf > > Director { > Name = storage.jokefire.com > > Really i do not see any other problem. >> > > Interesting to know! > >> >> Have you check the firewall?? >> >> > Well, on my first attempt I am merely trying to backup only the localhost. > I know that there are two different names listed here ( > storage.jokefire.com and ops.jokefire.com) but these are merely two > different DNS names for the same host. So the firewall shouldn't come into > play here. Plus the fact that this is an EC2 host and I mange the firewall > with AWS Security Groups and leave IPTables turned off. > > But I wonder if that could also be another problem? Tho I don't see it > being part of the problem I'm having with getting bacula to agree with it's > own TLS configuration. > > I really hope that the problem we're having here isn't centered around my > using self-signed certs. I'd hate to shell out for a commercial one, > especially as I consider the commercial cert business to be sort of a scam. > > Thanks! > Tim > > > On Fri, Nov 29, 2013 at 2:41 PM, Iban Cabrillo <cab...@if...>wrote: > >> Hi Tim, Ana, >> >> I do not know which is you bacula version, but in the bconsole >> configuration file , i have the address value pointing to "directors >> machine name": >> >> Director { >> Name = localhost-dir >> DIRport = 9101 >> address = bacula.example.org >> Password = "somesecret" >> >> TLS Enable = yes >> TLS Require = yes >> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt >> TLS Certificate = /etc/bacula/certs/cert/bacula.crt >> TLS Key = /etc/bacula/certs/key/bacula.key >> } >> Really i do not see any other problem. >> Have you check the firewall?? >> >> Regards, I >> >> >> >> 2013/11/29 Ana Emília M. Arruda <emi...@gm...> >> >> Hi Tim, >>> >>> Nice to meet you too and you´re welcome :) >>> You are having problem in TLS communication between bconsole and >>> director. >>> I suggest you to remove all the other TLS configuration (client, >>> storage) and try to resolve this one first. When I tried this >>> configuration, I remember doing that: TLS between director and bconsole, >>> TLS between director and client, and so on. >>> I don´t know if this could be an issue, but your certificate have OU >>> issuer different from OU subject: >>> >>> issuer = /C=US/ST=XX/L=XX/O=XX/*OU=XXX*/CN=storage.jokefire.com,subject >>> = /C=US/ST=XX/L=XX/O=XX/*OU=XX*/CN=storage.jokefire.com >>> >>> And in your bacula-sd.conf, also remove or set it to no: "TLS Verify >>> Peer = yes". >>> >>> Regards, >>> Ana >>> >>> >>> On Fri, Nov 29, 2013 at 3:16 PM, Tim Dunphy <blu...@gm...>wrote: >>> >>>> Hello Ana, >>>> >>>> Nice to meet you and thank you for your input as well. >>>> >>>> Well I tried your suggestion and unfortunately I haven't had any more >>>> luck than with Iban's. >>>> >>>> Here, for reference, are my TLS configs again. >>>> >>>> *bacula-dir.conf* >>>> Director { # define myself >>>> Name = storage.jokefire.com >>>> DIRport = 9101 # where we listen for UA connections >>>> QueryFile = "/etc/bacula/query.sql" >>>> WorkingDirectory = "/var/spool/bacula" >>>> PidDirectory = "/var/run" >>>> Maximum Concurrent Jobs = 1 >>>> Password = "secret" # Console password >>>> Messages = Daemon >>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>> TLS Enable = yes >>>> TLS Require = >>>> yes >>>> TLS Verify Peer = no} >>>> # Client (File Services) to backup >>>> >>>> >>>> >>>> >>>> Client { >>>> Name = ops.jokefire.com >>>> Address = ops.jokefire.com >>>> FDPort = 9102 >>>> Catalog = JokefireCatalog >>>> Password = "secret" # password for FileDaemon >>>> File Retention = 14 days # 14 days >>>> Job Retention = 14d # 14 days >>>> AutoPrune = yes # Prune expired Jobs/Files >>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>> TLS Enable = yes >>>> TLS Require = yes} >>>> (testing with just one client until I get this sorted out) >>>> >>>> >>>> >>>> >>>> >>>> Director { >>>> Name = storage.jokefire.com >>>> Password = "secret" >>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>> TLS Enable = yes >>>> TLS Require = yes} >>>> >>>> FileDaemon { # this is me >>>> Name = storage.jokefire.com >>>> FDport = 9102 # where we listen for the director >>>> WorkingDirectory = /var/bacula >>>> Pid Directory = /var/run >>>> Maximum Concurrent Jobs = 20 >>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>> TLS Enable = yes >>>> TLS Require = yes} >>>> *bacula-sd.conf* >>>> >>>> Storage { # definition of myself >>>> Name = storage.jokefire.com >>>> SDPort = 9103 # Director's port >>>> WorkingDirectory = "/var/spool/bacula" >>>> Pid Directory = "/var/run" >>>> Maximum Concurrent Jobs = 20 >>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>> TLS Enable = yes >>>> TLS Require = yes >>>> TLS Verify Peer = yes} >>>> *bconsole.conf* >>>> >>>> Director { >>>> Name = storage.jokefire.com >>>> DIRport = 9101 >>>> address = storage.jokefire.com >>>> Password = "secret" >>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>> TLS Enable = yes >>>> TLS Require = yes} >>>> And the permissions on the cert files appears to be correct: >>>> >>>> -rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 /etc/pki/CA/certs/rootBaculaCA.pem-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 /etc/pki/tls/certs/storage.jokefire.com.crt-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 /etc/pki/tls/private/storage.jokefire.com.key >>>> >>>> >>>> And the services bounce without any complaint: >>>> >>>> [root@storage:~] #bounce-bacula >>>> Stopping Bacula Storage services: [ OK ] >>>> Starting Bacula Storage services: [ OK ] >>>> Stopping Bacula File services: [ OK ] >>>> Starting Bacula File services: [ OK ] >>>> Stopping Bacula Director services: [ OK ] >>>> Starting Bacula Director services: [ OK ] >>>> >>>> Yet the same error as before is produced: >>>> >>>> [root@storage:~] #bconsole >>>> Connecting to Director storage.jokefire.com:910129-Nov 13:08 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XXX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self signed certificate >>>> TLS negotiation failed >>>> Director authorization problem. >>>> >>>> Most likely the passwords do not agree. >>>> If you are using TLS, there may have been a certificate validation error during the TLS handshake. >>>> Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help. >>>> >>>> >>>> >>>> And I see that the subject line from the cert agrees with the error >>>> that I'm seeing in Bacula. >>>> >>>> #openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject | grep -i -v -e public >>>> Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokefire.com >>>> >>>> >>>> Looking forward to coming to some sort of resolution with this, it's >>>> been days and days that I've been working on it. And I certainly appreciate >>>> everyone's help and input. >>>> >>>> Best, >>>> Tim >>>> >>>> >>>> >>>> On Thu, Nov 28, 2013 at 2:55 PM, Ana Emília M. Arruda < >>>> emi...@gm...> wrote: >>>> >>>>> Hi Tim! Hi Iban! >>>>> >>>>> Maybe the problem is in using "TLS Verify Peer = yes" with self-signed >>>>> certificates. I found in >>>>> http://www.bacula.org/manuals/en/concepts/concepts/Bacula_TLS_Communication.html >>>>> : >>>>> >>>>> >>>>> *TLS Verify Peer = <yes|no>* Verify peer certificate. Instructs >>>>> server to request and verify the client's x509 certificate. Any client >>>>> certificate signed by a known-CA will be accepted unless the TLS Allowed CN >>>>> configuration directive is used, in which case the client certificate must >>>>> correspond to the Allowed Common Name specified. This directive is valid >>>>> only for a server and not in a client context. >>>>> >>>>> *bacula-sd.conf* >>>>> >>>>> Storage { # definition of myself >>>>> >>>>> ... >>>>> >>>>> # Peer certificate is not required/requested -- peer validity >>>>> # is verified by the storage connection cookie provided to the >>>>> # File Daemon by the director. >>>>> TLS Verify Peer = no >>>>> >>>>> ... >>>>> >>>>> } >>>>> >>>>> A time ago I configured a test environment with TLS and I remember using "TLS Verify Peer = no" because of the self-signed certificates. >>>>> >>>>> >>>>> >>>>> >>>>> I think you can use "TLS Verify Peer = yes" combined with: >>>>> >>>>> *TLS Allowed CN = <string list>* >>>>> >>>>> >>>>> >>>>> Common name attribute of allowed peer certificates. If this directive >>>>> is specified, all server certificates will be verified against this list. >>>>> This can be used to ensure that only the CA-approved Director may connect. >>>>> This directive may be specified more than once. >>>>> >>>>> >>>>> Best regards, >>>>> Ana >>>>> >>>>> >>>>> >>>>> On Thu, Nov 28, 2013 at 4:07 PM, Tim Dunphy <blu...@gm...>wrote: >>>>> >>>>>> Hi Iban, >>>>>> >>>>>> HI Tim, >>>>>>> I was pretty sure that the trouble was on the CN, could you tray >>>>>>> to create the cert without the email value?? >>>>>>> /emailAddress=blu...@gm...<http://storage.jokefire.com/emailAddress=blu...@gm...>, >>>>>>> only CN=storage.jokefire.com. >>>>>>> >>>>>>> Have you check too that these files: >>>>>>> >>>>>>> /etc/pki/tls/certs/storage. >>>>>>> jokefire.com.crt >>>>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>>>> >>>>>>> belongs to bacula user ? >>>>>>> >>>>>>> regards, I >>>>>>> >>>>>> >>>>>> >>>>>> I was able to recreate the cert without the email address and ensure >>>>>> that the files were owned by the bacula user: >>>>>> >>>>>> [root@storage:~/bacula-certs-new] #ls -l >>>>>> /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>>> /etc/pki/CA/certs/rootBaculaCA.pem >>>>>> -rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 >>>>>> /etc/pki/CA/certs/rootBaculaCA.pem >>>>>> -rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 >>>>>> /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>> -rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 >>>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>>> You have mail in /var/spool/mail/root >>>>>> >>>>>> >>>>>> And this is what the Subject line of the key file looks like now: >>>>>> >>>>>> openssl x509 -in /etc/pki/tls/certs/storage.j >>>>>> okefire.com.crt -noout -text >>>>>> >>>>>> Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef >>>>>> ire.com >>>>>> >>>>>> Once again all services bounce cleanly. >>>>>> >>>>>> However when I go into bconsole this is what I find: >>>>>> >>>>>> [root@storage:~/bacula-certs-new] #bconsole >>>>>> Connecting to Director storage.jokefire.com:9101 >>>>>> 28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate >>>>>> at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN= >>>>>> storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN= >>>>>> storage.jokefire.com, ERR=18:self signed certificate >>>>>> TLS negotiation failed >>>>>> Director authorization problem. >>>>>> Most likely the passwords do not agree. >>>>>> If you are using TLS, there may have been a certificate validation >>>>>> error during the TLS handshake. >>>>>> Please see >>>>>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for help. >>>>>> >>>>>> >>>>>> Passwords have not been changed from the working configs, which have >>>>>> been in place and working for several months now. >>>>>> >>>>>> Any further thoughts? >>>>>> >>>>>> Many thanks and I hope you are enjoying your holiday! >>>>>> >>>>>> Tim >>>>>> >>>>>> >>>>>> On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo < >>>>>> cab...@if...> wrote: >>>>>> >>>>>>> HI Tim, >>>>>>> I was pretty sure that the trouble was on the CN, could you tray >>>>>>> to create the cert without the email value?? >>>>>>> /emailAddress=blu...@gm...<http://storage.jokefire.com/emailAddress=blu...@gm...>, >>>>>>> only CN=storage.jokefire.com. >>>>>>> >>>>>>> Have you check too that these files: >>>>>>> >>>>>>> /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>> /etc/pki/tls/private/storage.jokefire.com.key >>>>>>> >>>>>>> belongs to bacula user ? >>>>>>> >>>>>>> regards, I >>>>>>> >>>>>>> >>>>>>> 2013/11/28 Tim Dunphy <blu...@gm...> >>>>>>> >>>>>>>> Hello Iban! And thank you for your reply. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I have a similar configuration. I think that the problem is in >>>>>>>>> the CN: >>>>>>>>> CN=storage.jokefire.com/emailAddress=blu...@gm... >>>>>>>>> >>>>>>>>> >>>>>>>>> please could you show the value for DirAddress = >>>>>>>>> bacula.example.org >>>>>>>>> >>>>>>>>> in my case: >>>>>>>>> >>>>>>>>> DirAddress = bacula.example.org >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> TLS Require = yes >>>>>>>>> TLS Verify Peer = no >>>>>>>>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt >>>>>>>>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt >>>>>>>>> TLS Key = /etc/bacula/certs/key/bacula.key >>>>>>>>> >>>>>>>>> >>>>>>>> This is my director configuration from bacula-dir.conf >>>>>>>> >>>>>>>> >>>>>>>> Director { # define myself >>>>>>>> Name = storage.jokefire.com >>>>>>>> DIRport = 9101 # where we listen for UA connections >>>>>>>> QueryFile = "/etc/bacula/query.sql" >>>>>>>> WorkingDirectory = "/var/spool/bacula" >>>>>>>> PidDirectory = "/var/run" >>>>>>>> Maximum Concurrent Jobs = 1 >>>>>>>> Password = "secret" # Console password >>>>>>>> Messages = Daemon >>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>> TLS Enable = yes >>>>>>>> TLS Require = yes >>>>>>>> TLS Verify Peer = yes >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> I hope I got you right in that this was what you needed to know. >>>>>>>> >>>>>>>> >>>>>>>>> Looking at the cert: >>>>>>>>> >>>>>>>>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text >>>>>>>>> >>>>>>>>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN= >>>>>>>>> bacula.example.org >>>>>>>>> >>>>>>>> >>>>>>>> openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout >>>>>>>> -text >>>>>>>> >>>>>>>> Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN= >>>>>>>> storage.jokefire.com/emailAddress=blu...@gm... >>>>>>>> >>>>>>>> [root@storage:~] #hostname -f >>>>>>>> storage.jokefire.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> The CN must be the sme that DirAddress (I did not use email >>>>>>>>> address for cert sign) >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> It appears as if the DirAddress and the common name do agree. Might >>>>>>>> there be something else I could have missed? >>>>>>>> >>>>>>>> Thanks >>>>>>>> Tim >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo < >>>>>>>> cab...@if...> wrote: >>>>>>>> >>>>>>>>> Hi Tim, >>>>>>>>> I have a similar configuration. I think that the proble is in the >>>>>>>>> CN: >>>>>>>>> CN=storage.jokefire.com/emailAddress=blu...@gm... >>>>>>>>> >>>>>>>>> >>>>>>>>> please could you show the value for DirAddress = >>>>>>>>> bacula.example.org >>>>>>>>> >>>>>>>>> in my case: >>>>>>>>> >>>>>>>>> DirAddress = bacula.example.org >>>>>>>>> >>>>>>>>> TLS Enable = yes >>>>>>>>> TLS Require = yes >>>>>>>>> TLS Verify Peer = no >>>>>>>>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt >>>>>>>>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt >>>>>>>>> TLS Key = /etc/bacula/certs/key/bacula.key >>>>>>>>> >>>>>>>>> Looking at the cert: >>>>>>>>> >>>>>>>>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text >>>>>>>>> >>>>>>>>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN= >>>>>>>>> bacula.example.org >>>>>>>>> >>>>>>>>> The CN must be the sme that DirAddress (I did not use email >>>>>>>>> address for cert sign) >>>>>>>>> >>>>>>>>> Regards, I >>>>>>>>> >>>>>>>>> >>>>>>>>> 2013/11/27 Tim Dunphy <blu...@gm...> >>>>>>>>> >>>>>>>>>> Hello all, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I'm trying to add TLS encryption to my bacula setup. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I've been following this guide which got me almost all of the >>>>>>>>>> way there: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I modified the following sections in my bacula-dir.conf file: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Director { # define myself >>>>>>>>>> >>>>>>>>>> Name = storage.jokefire.com >>>>>>>>>> >>>>>>>>>> DIRport = 9101 # where we listen for UA >>>>>>>>>> connections >>>>>>>>>> >>>>>>>>>> QueryFile = "/etc/bacula/query.sql" >>>>>>>>>> >>>>>>>>>> WorkingDirectory = "/var/spool/bacula" >>>>>>>>>> >>>>>>>>>> PidDirectory = "/var/run" >>>>>>>>>> >>>>>>>>>> Maximum Concurrent Jobs = 1 >>>>>>>>>> >>>>>>>>>> Password = "secret" # Console password >>>>>>>>>> >>>>>>>>>> Messages = Daemon >>>>>>>>>> >>>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>>> >>>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>>> >>>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>>> >>>>>>>>>> TLS Enable = yes >>>>>>>>>> >>>>>>>>>> TLS Require = yes >>>>>>>>>> >>>>>>>>>> TLS Verify Peer = yes >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Client { >>>>>>>>>> >>>>>>>>>> Name = ops.jokefire.com >>>>>>>>>> >>>>>>>>>> Address = ops.jokefire.com >>>>>>>>>> >>>>>>>>>> FDPort = 9102 >>>>>>>>>> >>>>>>>>>> Catalog = JokefireCatalog >>>>>>>>>> >>>>>>>>>> Password = "secret" # password for FileDaemon >>>>>>>>>> >>>>>>>>>> File Retention = 14 days # 14 days >>>>>>>>>> >>>>>>>>>> Job Retention = 14d # 14 days >>>>>>>>>> >>>>>>>>>> AutoPrune = yes # Prune expired Jobs/Files >>>>>>>>>> >>>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>>> >>>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>>> >>>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>>> >>>>>>>>>> TLS Enable = yes >>>>>>>>>> >>>>>>>>>> TLS Require = yes >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> And in my bacula-fd.conf >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Director { >>>>>>>>>> >>>>>>>>>> Name = storage.jokefire.com >>>>>>>>>> >>>>>>>>>> Password = "secret" >>>>>>>>>> >>>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>>> >>>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>>> >>>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>>> >>>>>>>>>> TLS Enable = yes >>>>>>>>>> >>>>>>>>>> TLS Require = yes >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> FileDaemon { # this is me >>>>>>>>>> >>>>>>>>>> Name = storage.jokefire.com >>>>>>>>>> >>>>>>>>>> FDport = 9102 # where we listen for the >>>>>>>>>> director >>>>>>>>>> >>>>>>>>>> WorkingDirectory = /var/bacula >>>>>>>>>> >>>>>>>>>> Pid Directory = /var/run >>>>>>>>>> >>>>>>>>>> Maximum Concurrent Jobs = 20 >>>>>>>>>> >>>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>>> >>>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>>> >>>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>>> >>>>>>>>>> TLS Enable = yes >>>>>>>>>> >>>>>>>>>> TLS Require = yes >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> In bacula-sd.conf: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Storage { # definition of myself >>>>>>>>>> >>>>>>>>>> Name = storage.jokefire.com >>>>>>>>>> >>>>>>>>>> SDPort = 9103 # Director's port >>>>>>>>>> >>>>>>>>>> WorkingDirectory = "/var/spool/bacula" >>>>>>>>>> >>>>>>>>>> Pid Directory = "/var/run" >>>>>>>>>> >>>>>>>>>> Maximum Concurrent Jobs = 20 >>>>>>>>>> >>>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>>> >>>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>>> >>>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>>> >>>>>>>>>> TLS Enable = yes >>>>>>>>>> >>>>>>>>>> TLS Require = yes >>>>>>>>>> >>>>>>>>>> TLS Verify Peer = yes >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> And finally in bconsole.conf: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Director { >>>>>>>>>> >>>>>>>>>> Name = storage.jokefire.com >>>>>>>>>> >>>>>>>>>> DIRport = 9101 >>>>>>>>>> >>>>>>>>>> address = storage.jokefire.com >>>>>>>>>> >>>>>>>>>> Password = "secret" >>>>>>>>>> >>>>>>>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt >>>>>>>>>> >>>>>>>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key >>>>>>>>>> >>>>>>>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem >>>>>>>>>> >>>>>>>>>> TLS Enable = yes >>>>>>>>>> >>>>>>>>>> TLS Require = yes >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Then I bounced the services so all seems well at this point: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root@storage:/etc/bacula] #bounce-bacula >>>>>>>>>> >>>>>>>>>> Stopping Bacula Storage services: [ OK >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> Starting Bacula Storage services: [ OK >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> Stopping Bacula File services: [ OK >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> Starting Bacula File services: [ OK >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> Stopping Bacula Director services: [ OK >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> Starting Bacula Director services: [ OK >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> (wrote a script to bounce all services because I'm lazy) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> But when I go into bconsole I get the following (until I restore >>>>>>>>>> from backup) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root@storage:/etc/bacula] #bconsole >>>>>>>>>> >>>>>>>>>> Connecting to Director storage.jokefire.com:9101 >>>>>>>>>> >>>>>>>>>> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with >>>>>>>>>> certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire >>>>>>>>>> LLC/OU=Ops/CN= >>>>>>>>>> storage.jokefire.com/emailAddress=blu...@gm..., subject >>>>>>>>>> = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN= >>>>>>>>>> storage.jokefire.com/emailAddress=blu...@gm..., >>>>>>>>>> ERR=18:self signed certificate >>>>>>>>>> >>>>>>>>>> TLS negotiation failed >>>>>>>>>> >>>>>>>>>> Director authorization problem. >>>>>>>>>> >>>>>>>>>> Most likely the passwords do not agree. >>>>>>>>>> >>>>>>>>>> If you are using TLS, there may have been a certificate >>>>>>>>>> validation error during the TLS handshake. >>>>>>>>>> >>>>>>>>>> Please see >>>>>>>>>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for help. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I've saved my work with TLS so I'm eager to get this going. I >>>>>>>>>> used the following guide to generating the certs, and I'm wondering if the >>>>>>>>>> problem could possibly be in the way I generated the certs? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks for any and all advice! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Tim >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> GPG me!! >>>>>>>>>> >>>>>>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> Rapidly troubleshoot problems before they affect your business. >>>>>>>>>> Most IT >>>>>>>>>> organizations don't have a clear picture of how application >>>>>>>>>> performance >>>>>>>>>> affects their revenue. With AppDynamics, you get 100% visibility >>>>>>>>>> into your >>>>>>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>>>>>>>> AppDynamics Pro! >>>>>>>>>> >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>>>>>>>> _______________________________________________ >>>>>>>>>> Bacula-users mailing list >>>>>>>>>> Bac...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> #################################### >>>>>>>>> Iban Cabrillo Bartolome >>>>>>>>> Instituto de Fisica de Cantabria (IFCA) >>>>>>>>> Santander, Spain >>>>>>>>> Tel: +34942200969 >>>>>>>>> #################################### >>>>>>>>> Bertrand Russell: >>>>>>>>> *"El problema con el mundo es que los estúpidos están seguros de >>>>>>>>> todo y los inteligentes están llenos de dudas*" >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> GPG me!! >>>>>>>> >>>>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> #################################### >>>>>>> Iban Cabrillo Bartolome >>>>>>> Instituto de Fisica de Cantabria (IFCA) >>>>>>> Santander, Spain >>>>>>> Tel: +34942200969 >>>>>>> #################################### >>>>>>> Bertrand Russell: >>>>>>> *"El problema con el mundo es que los estúpidos están seguros de >>>>>>> todo y los inteligentes están llenos de dudas*" >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> GPG me!! >>>>>> >>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Rapidly troubleshoot problems before they affect your business. Most >>>>>> IT >>>>>> organizations don't have a clear picture of how application >>>>>> performance >>>>>> affects their revenue. With AppDynamics, you get 100% visibility into >>>>>> your >>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>>>> AppDynamics Pro! >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> Bacula-users mailing list >>>>>> Bac...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> GPG me!! >>>> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>> >>>> >>> >> >> >> -- >> #################################### >> Iban Cabrillo Bartolome >> Instituto de Fisica de Cantabria (IFCA) >> Santander, Spain >> Tel: +34942200969 >> #################################### >> Bertrand Russell: >> *"El problema con el mundo es que los estúpidos están seguros de todo y >> los inteligentes están llenos de dudas*" >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > |