Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] Bacula TLS issue

2009-07-27 06:24:16
Subject: [Bacula-users] Bacula TLS issue
From: Juraj Pisar <yuri AT yuri DOT sk>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 27 Jul 2009 12:03:48 +0200 
Hi

I have issue with TLS on bacula-fd 3.0.2/3.0.1.

I downloaded sources from sources and compiled them with ssl enabled:

root@5-MeO-DMT:/home/yuri/bacula/bacula-3.0.1# ./configure 
--enable-client-only --with-openssl
root@5-MeO-DMT:/home/yuri/bacula/bacula-3.0.1# make
root@5-MeO-DMT:/home/yuri/bacula/bacula-3.0.1# make install

to prevent issues with certificates/ typos in config files i used config 
files from already running node:

bacula-fd.conf  bconsole.conf  ca.crt  pki_keypair.pem  pki_master.cert 
  pki_master.key  proxy.crt  proxy.key  proxy.req
root@5-MeO-DMT:/home/yuri/bconf# cat bacula-fd.conf 

# 

# Default  Bacula File Daemon Configuration file 

# 

#  For Bacula release 1.36.3 (22 April 2005) -- gentoo 1.12.6 

# 

# There is not much to change here except perhaps the 

# File daemon Name to 

# 


#
# List Directors who are permitted to contact this File daemon
#

# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
   Name = hirudegarn-mon
   Password = "XXXXX"
   Monitor = yes
}
Director {
   Name = hirudegarn-dir
   Password = "XXXXXX"
   TLS Enable = yes
   TLS Require = yes
   TLS Verify Peer = yes
   TLS Allowed CN = "hirudegarn.local"
   TLS CA Certificate File = /etc/bacula/ca.crt
   TLS Key = /etc/bacula/proxy.key
   TLS Certificate = /etc/bacula/proxy.crt
}

#
#
# "Global" File daemon configuration specifications
#
FileDaemon {                          # this is me
   Name = kerberos-fd
   FDport = 9102                  # where we listen for the director
   WorkingDirectory = /var/bacula
   Pid Directory = /var/run
   Maximum Concurrent Jobs = 20

   TLS Enable = yes
   TLS Require = yes
   TLS CA Certificate File = /etc/bacula/ca.crt
   TLS Key = /etc/bacula/proxy.key
   TLS Certificate = /etc/bacula/proxy.crt

   PKI Signatures = Yes            # Enable Data Signing
   PKI Encryption = Yes            # Enable Data Encryption
   PKI Keypair = "/etc/bacula/pki_keypair.pem"    # Public and Private Keys
   PKI Master Key = "/etc/bacula/pki_master.cert"    # ONLY the Public Key
}

# Send all messages except skipped files back to Director
Messages {
   Name = Daemon
   director = kerberos-dir = all, !skipped
}
root@5-MeO-DMT:/home/yuri/bconf# ls -la /etc/bacula/ca.crt 
/etc/bacula/proxy.key /etc/bacula/proxy.crt
-rw------- 1 root root   25 2008-03-19 00:00 /etc/bacula/ca.crt
-rw------- 1 root root 3885 2008-06-21 00:00 /etc/bacula/proxy.crt
-rw------- 1 root root  891 2007-06-21 00:00 /etc/bacula/proxy.key
root@5-MeO-DMT:/home/yuri/bconf#


root@5-MeO-DMT:/home/yuri/bconf# bacula-fd /home/yuri/bconf/bacula-fd.conf
27-Jul 11:55 kerberos-fd: Fatal Error at filed.c:365 because:
Failed to initialize TLS context for File daemon "kerberos-fd" in 
/home/yuri/bconf/bacula-fd.conf.
27-Jul 11:55 kerberos-fd: ERROR in filed.c:209 Please correct 
configuration file: /home/yuri/bconf/bacula-fd.conf
root@5-MeO-DMT:/home/yuri/bconf#

root@5-MeO-DMT:/home/yuri/bconf# ldd /sbin/bacula-fd
         linux-gate.so.1 =>  (0xffffe000)
         libz.so.1 => /usr/lib/libz.so.1 (0xb7fac000)
         libbacfind.so.1 => /usr/lib/libbacfind.so.1 (0xb7fa0000)
         libbacpy.so.1 => /usr/lib/libbacpy.so.1 (0xb7f9d000)
         libbaccfg.so.1 => /usr/lib/libbaccfg.so.1 (0xb7f96000)
         libbac.so.1 => /usr/lib/libbac.so.1 (0xb7f4e000)
         libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7f3c000)
         libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f39000)
         libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7efb000)
         libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 
(0xb7dcb000)
         libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7cf6000)
         libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7cd4000)
         libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7cca000)
         libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b9b000)
         /lib/ld-linux.so.2 (0xb7fc9000)
root@5-MeO-DMT:/home/yuri/bconf#

It is on ubuntu server

root@5-MeO-DMT:/home/yuri/bconf# uname -a
Linux 5-MeO-DMT 2.6.15-52-server #1 SMP Wed Oct 22 19:58:08 UTC 2008 
i686 GNU/Linux
root@5-MeO-DMT:/home/yuri/bconf#


Can you please advice me how to identify where exactly is problem ? i 
tried to increase debug level to higher values (even to 99), without 
success.

Can this be solved by downgrading to 2.2.X ?

I run 3.0.0 on director and storage .

Regards

Juraj



------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Bacula-users] Bacula TLS issue, Juraj Pisar <=
Previous by Date:  [Bacula-users] Remote backup, Keith Stevens
Next by Date:  Re: [Bacula-users] Bacula spool on SSD -- solid state drive performance testing?, Alan Brown
Previous by Thread:  [Bacula-users] Remote backup, Keith Stevens
Next by Thread:  [Bacula-users] RunScript{} does not work for me. RunAfter/BeforeJob does, Olaf Zevenboom
Indexes:  [Date] [Thread] [Top] [All Lists]