Re: [Bacula-users] bacula TLS help

Hi Tim!

You´re welcome! Glad to hear it! I´m sure you´ll get it working! And also I´m sure the list will be here to help you :)

Best regards,

Ana

On Sat, Dec 7, 2013 at 9:19 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:

Hi Ana,

Thanks for that advice.

Here's the storage section from my bacula-dir.conf

Storage {
  Name = File
# Do not use "localhost" here
  Address = ops.jokefire.com    # N.B. Use a fully qualified name here
  SDPort = 9103
  Password = "secret"
  Device = FileStorage
  Media Type = File
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

Here's status client:

[root@ops:/etc/bacula] #bconsole
Connecting to Director ops.jokefire.com:9101
1000 OK: ops.jokefire.com Version: 5.2.13 (19 February 2013)
Enter a period to cancel a command.
*st client
Automatically selected Client: ops.jokefire.com
Connecting to Client ops.jokefire.com at ops.jokefire.com:9102

ops.jokefire.com Version: 5.2.13 (19 February 2013)  x86_64-unknown-linux-gnu redhat
Daemon started 07-Dec-13 12:56. Jobs: run=0 running=0.
 Heap: heap=1,024,000 smbytes=198,355 max_bytes=210,031 bufs=152 max_bufs=166
 Sizeof: boffset_t=8 size_t=8 debug=0 trace=0
Running Jobs:
JobId 5 Job ops.jokefire.com.2013-12-07_12.57.06_03 is running.
    Full Backup Job started: 07-Dec-13 12:57
    Files=7,588 Bytes=700,237,644 Bytes/sec=1,075,633 Errors=0
    Files Examined=7,613
    Processing file: /var/account/pacct.3.gz
    SDReadSeqNo=5 fd=5
Director connected at: 07-Dec-13 13:08
====

Terminated Jobs:
 JobId  Level    Files      Bytes   Status   Finished        Name
======================================================================
    86  Full    249,198    6.704 G  OK       01-Dec-13 03:20 ops.jokefire.com
    90  Full          1    377.4 M  OK       01-Dec-13 09:33 Jokefire_BackupCatalog
    93  Incr          0         0   Error    02-Dec-13 12:54 ops.jokefire.com
     1  Full    249,265    6.711 G  OK       03-Dec-13 03:22 ops.jokefire.com
     5  Full          1    170.1 M  OK       03-Dec-13 15:45 Jokefire_BackupCatalog
     6  Incr     18,175    847.8 M  OK       04-Dec-13 03:32 ops.jokefire.com
    10  Full          1    197.0 M  OK       04-Dec-13 05:48 Jokefire_BackupCatalog
    11  Incr      1,127    728.2 M  OK       05-Dec-13 03:08 ops.jokefire.com
    15  Full          1    215.5 M  OK       05-Dec-13 03:47 Jokefire_BackupCatalog
    19               12    1.497 K  OK       06-Dec-13 21:55 RestoreFiles
====


And here's status storage:




*st storage
Automatically selected Storage: File
Connecting to Storage daemon File at ops.jokefire.com:9103

ops.jokefire.com Version: 5.2.13 (19 February 2013) x86_64-unknown-linux-gnu redhat 
Daemon started 07-Dec-13 12:56. Jobs: run=0, running=0.
 Heap: heap=528,384 smbytes=176,909 max_bytes=177,103 bufs=120 max_bufs=122
 Sizes: boffset_t=8 size_t=8 int32_t=4 int64_t=8 mode=0,0

Running Jobs:
Writing: Full Backup job ops.jokefire.com JobId=5 Volume="jf-backup-tape-0001"
    pool="Default" device="FileStorage" (/backup/tapes)
    spooling=0 despooling=0 despool_wait=0
    Files=9,260 Bytes=737,070,299 AveBytes/sec=630,071 LastBytes/sec=291,475
    FDReadSeqNo=91,891 in_msg=64937 out_msg=5 fd=5
====

Jobs waiting to reserve a drive:
====

Terminated Jobs:
 JobId  Level    Files      Bytes   Status   Finished        Name 
===================================================================
     7  Incr    141,763    2.790 G  OK       04-Dec-13 04:26 beta.jokefire.com
     8  Incr     62,690    1.250 G  OK       04-Dec-13 05:04 chef.jokefire.com
     9  Incr        823    558.5 M  OK       04-Dec-13 05:26 logs.jokefire.com
    10  Full          1    197.0 M  OK       04-Dec-13 05:48 Jokefire_BackupCatalog
    11  Incr      1,127    728.3 M  OK       05-Dec-13 03:08 ops.jokefire.com
    12  Incr    149,766    2.811 G  OK       05-Dec-13 03:36 beta.jokefire.com
    13  Incr        515    267.5 M  OK       05-Dec-13 03:38 chef.jokefire.com
    14  Incr      1,070    903.1 M  OK       05-Dec-13 03:44 logs.jokefire.com
    15  Full          1    215.5 M  OK       05-Dec-13 03:47 Jokefire_BackupCatalog
    19                0         0   OK       06-Dec-13 21:55 RestoreFiles
====

Device status:

Device "FileStorage" (/backup/tapes) is mounted with:
    Volume:      jf-backup-tape-0001
    Pool:        Default
    Media type:  File
    Total Bytes=737,888,459 Blocks=11,438 Bytes/block=64,512
    Positioned at File=0 Block=737,888,458
==
====

Used Volume status:
jf-backup-tape-0001 on device "FileStorage" (/backup/tapes)
    Reader=0 writers=1 reserves=0 volinuse=1
===
 And now the exciting part!



My first successful SSL backup!

5  Full    307,963    7.177 G  OK       07-Dec-13 16:20 ops.jokefire.com

And my first successful restore:

Build OS:               x86_64-unknown-linux-gnu redhat 
  JobId:                  6
  Job:                    RestoreFiles.2013-12-07_16.36.37_43
  Restore Client:         ops.jokefire.com
  Start time:             07-Dec-2013 16:36:39
  End time:               07-Dec-2013 16:36:53
  Files Expected:         1
  Files Restored:         1
  Bytes Restored:         504
  Rate:                   0.0 KB/s
  FD Errors:              0
  FD termination status:  OK
  SD termination status:  OK
  Termination:            Restore OK

This is the file that I restored:

-rw-rw-rw- 1 root root 504 Dec  2 22:52 /backup/tapes/bacula-restores/etc/fstab




Now only to add the remote clients!

I'm taking a break before I get to this step. But I thank you all and Ana in particular for all the hard work and advice that got me to this stage so far.



I am optimistic that I can get the clients working with the remote clients as well. But I hope you won't hold it against me if I ping the list again should I run into any issues with that.



Thanks!!!
Tim

On Sat, Dec 7, 2013 at 7:55 AM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:

Hi Tim!

Have you configured storage daemon with TLS? In bacula-dir.conf, you also need to configure storage with TLS in the same way you did for the filedaemon:

Storage {
  Name = File
# Do not use "localhost" here
  Address = ops.jokefire.com    # N.B. Use a fully qualified name here
  SDPort = 9103
  Password = "secret"
  Device = FileStorage
  Media Type = File




    
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes   TLS Require = yes


}

Can you put here the results of a "status client" and "status storage"?

Do you have more about the error above in an email message or a log file?

Best regards,

Ana

On Sat, Dec 7, 2013 at 12:34 AM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:

Hello Ana/All,

I have some progress to report. Last night I was able to follow the steps that were provided by Ana to recreate the certs. That got me as far as logging into bconsole:

[root@ops:~] #bconsole
Connecting to Director ops.jokefire.com:9101
1000 OK: ops.jokefire.com Version: 5.2.13 (19 February 2013)
Enter a period to cancel a command.
*

And I can connect to the client:





*st client
Automatically selected Client: ops.jokefire.com
Connecting to Client ops.jokefire.com at ops.jokefire.com:9102

ops.jokefire.com Version: 5.2.13 (19 February 2013)  x86_64-unknown-linux-gnu redhat 
Daemon started 06-Dec-13 22:12. Jobs: run=0 running=0.
 Heap: heap=262,144 smbytes=26,654 max_bytes=26,801 bufs=72 max_bufs=73
 Sizeof: boffset_t=8 size_t=8 debug=0 trace=0 
Running Jobs:
Director connected at: 06-Dec-13 22:16
No Jobs running.
====

Terminated Jobs:
 JobId  Level    Files      Bytes   Status   Finished        Name 
======================================================================
    86  Full    249,198    6.704 G  OK       01-Dec-13 03:20 ops.jokefire.com
    90  Full          1    377.4 M  OK       01-Dec-13 09:33 Jokefire_BackupCatalog
    93  Incr          0         0   Error    02-Dec-13 12:54 ops.jokefire.com
     1  Full    249,265    6.711 G  OK       03-Dec-13 03:22 ops.jokefire.com
     5  Full          1    170.1 M  OK       03-Dec-13 15:45 Jokefire_BackupCatalog
     6  Incr     18,175    847.8 M  OK       04-Dec-13 03:32 ops.jokefire.com
    10  Full          1    197.0 M  OK       04-Dec-13 05:48 Jokefire_BackupCatalog
    11  Incr      1,127    728.2 M  OK       05-Dec-13 03:08 ops.jokefire.com
    15  Full          1    215.5 M  OK       05-Dec-13 03:47 Jokefire_BackupCatalog
    19               12    1.497 K  OK       06-Dec-13 21:55 RestoreFiles
====

It does seem at this point, however, that my celebration was a bit premature.

What I've done is scale down my normal backups to just the localhost on which bacula is running. Once I am able to take a full backup and perform a restore I will consider it a success. I should not have run a victory lap short of achieving this.

Because the next backup I tried to run produced this result:

06-Dec 22:13 ops.jokefire.com JobId 2: Error: Bacula ops.jokefire.com 5.2.13 (19Jan13):
  Build OS:               x86_64-unknown-linux-gnu redhat 
  JobId:                  2
  Job:                    ops.jokefire.com.2013-12-06_22.13.41_04
  Backup Level:           Full
  Client:                 "ops.jokefire.com" 5.2.13 (19Jan13) x86_64-unknown-linux-gnu,redhat,
  FileSet:                "Full Set" 2013-12-06 22:13:12
  Pool:                   "Default" (From Job resource)
  Catalog:                "JokefireCatalog" (From Client resource)
  Storage:                "File" (From Job resource)
  Scheduled time:         06-Dec-2013 22:13:33
  Start time:             06-Dec-2013 22:13:43
  End time:               06-Dec-2013 22:13:43
  Elapsed time:           0 secs
  Priority:               10
  FD Files Written:       0
  SD Files Written:       0
  FD Bytes Written:       0 (0 B)
  SD Bytes Written:       0 (0 B)
  Rate:                   0.0 KB/s
  Software Compression:   None
  VSS:                    no
  Encryption:             no
  Accurate:               no
  Volume name(s):         
  Volume Session Id:      0
  Volume Session Time:    0
  Last Volume Bytes:      0 (0 B)
  Non-fatal FD errors:    1
  SD Errors:              0
  FD termination status:  
  SD termination status:  
  Termination:            *** Backup Error ***



*

So dear friends, I was hoping to run my configs by you one more time (hopefully the last) in an attempt to troubleshoot this problem.




These are my cert files:

-r-------- 1 bacula bacula 2.2K Dec  5 21:20 /etc/pki/CA/certs/ca.crt
-r-------- 1 bacula bacula 1.9K Dec  5 21:20 /etc/pki/tls/certs/ops.jokefire.com.crt
-r-------- 1 bacula bacula 3.2K Dec  5 21:20 /etc/pki/tls/private/ops.jokefire.com.key





This is the state my configs were in during my last attempt. I have not yet reverted to the working configs.

bacula-dir.conf

Director {                            # define myself
  Name = ops.jokefire.com
  DIRport = 9101                # where we listen for UA connections
  QueryFile = "/etc/bacula/query.sql"
  WorkingDirectory = "/var/spool/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 1
  Password = "secret"         # Console password
  Messages = Daemon
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

# Client (File Services) to backup
Client {
  Name = ops.jokefire.com
  Address = ops.jokefire.com
  FDPort = 9102
  Catalog = JokefireCatalog
  Password = "secret"          # password for FileDaemon
  File Retention = 14 days            # 14 days
  Job Retention = 14d            # 14 days
  AutoPrune = yes                     # Prune expired Jobs/Files
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

Storage {
  Name = File
# Do not use "localhost" here
  Address = ops.jokefire.com    # N.B. Use a fully qualified name here
  SDPort = 9103
  Password = "secret"
  Device = FileStorage
  Media Type = File
}

Console {
  Name = ops.jokefire.com
  Password = "secret"
  CommandACL = status, .status
}

bacula-fd





Director {
  Name = ops.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

FileDaemon {                          # this is me
  Name = ops.jokefire.com
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/bacula
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}
bacula-sd.conf
Storage {                             # definition of myself
  Name = ops.jokefire.com
  SDPort = 9103                  # Director's port
  WorkingDirectory = "/var/spool/bacula"
  Pid Directory = "/var/run"
  Maximum Concurrent Jobs = 20
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

Director {
  Name = ops.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
  #Monitor = yes
}

bconsole.conf




Director {
  Name = ops.jokefire.com
  DIRport = 9101
  address = ops.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}
I would once again appreciate any help or advice anyone has to offer on how best to proceed from here. 

Best,
Tim

On Tue, Dec 3, 2013 at 4:45 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:

Hi Tim!

Finally I have it working :)

I´m going to put here all that I did and maybe you will find an answer for your problem. The whole thing is about certificates. I think two major problems are: removing the password from the director1 private key and have a CA to sign the director1 certificate (don´t use a self signed certificate).

So, I have a host named director1.example.com.br. The steps I took to create a CA and the director1.example.com.br certificate are:

Create CA key
1) openssl genrsa -des3 -out ca.key 4096

Create CA cert
2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create director1 key and certificate signing request

3) openssl genrsa -des3 -out director1key.key 4096
4) openssl req -new -key director1.key -out director1.csr

Sign the director1 certificate
5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt

Don´t know if it is necessary, but converted .crt to .pem
6) openssl x509 -in director1.crt -out director1.pem
7) openssl x509 -in ca.crt -out ca.pem

Really important! Remove the password from the director1 private key

8) openssl rsa -in director1key.key -out director1.key

And bellow the bacula-dir.conf and bconsole.conf sections about TLS:

Director { # define myself

Name = director1-dir
DIRport = 9101 # where we listen for UA connections

QueryFile = "/opt/bacula/bin/query.sql"
WorkingDirectory = "/opt/bacula/working"

PidDirectory = "/opt/bacula/bin/working"
Maximum Concurrent Jobs = 1

Password = "bacula-dir" # Console password
Messages = Daemon

TLS Enable = yes
TLS Require = yes

TLS Verify Peer = yes
TLS Allowed CN = "director1.example.com.br"

TLS CA Certificate File = /etc/ssl/baculacerts/ca.pem
TLS Certificate = /etc/ssl/baculacerts/director1.pem

TLS Key = /etc/ssl/baculacerts/director1.key
}

Good luck and if you have any problems, please don´t hesitate to contact me.

Regards,
Ana
On Mon, Dec 2, 2013 at 9:39 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:
Hi Ana,

I think you can´t have the director´s name "storage.jokefire.com" and iits certificate TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt. I found this guide for creating the CA and the certificates: http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/

I think this is all a certificate issue. I´m going to try out this configuration here and post as soon as I can.

Ok, so I tried re-creating the certs using the CN ops.jokefire.com

Here's the server cert:

[root@ops:~/bacula-certs-new-new] #openssl x509 -noout -text -in ops.jokefire.com.crt | grep -i subject | grep -i -v info
Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=ops.jokefire.com

And this is the server crt:

[root@ops:~/bacula-certs-new-new] #openssl x509 -noout -text -in ca.crt | grep -i subject | grep -i -v -e info -e identifier
Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=ops.jokefire.com CA

I just added the CA after the common name for the CA cert in order to prevent a naming collision as per this advice that I found in that other article I followed in how to name the CN.

"The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In a step below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical."

And I renamed all references to director in all the configs to refer instead to 'ops.jokefire.com'

Director { # define myself
Name = ops.jokefire.com

And the error has not changed:

[root@ops:~] #bconsole
Connecting to Director storage.jokefire.com:9101

TLS negotiation failed
Director authorization problem.

Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.

Thanks again for your input.

Tim
On Mon, Dec 2, 2013 at 2:02 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:
Hi Tim,

I think you can´t have the director´s name "storage.jokefire.com" and iits certificate TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt. I found this guide for creating the CA and the certificates: http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/

I think this is all a certificate issue. I´m going to try out this configuration here and post as soon as I can.

Regards,
Ana
On Fri, Nov 29, 2013 at 9:37 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:
Hi Ana,

Thanks for pointing me to that thread. The guys problem was very similar to my own. But ultimately no such luck after following the advice there sad to say.

The part that I keyed onto was where he said this:

Thank you. After a while I figured out how to do this. Furthermore I
had "nsCertType = server" in my caconfig.cnf and commented it. Now I
see...
That was on an Ubuntu machine. I'm on a CentOS 5.9 host and on my setup the file was openssl.cnf. I set the recommended settings there and regenerated the keys.
[root@storage:/etc/bacula] #grep -i nscerttype /etc/openvpn/easy-rsa/1.0/openssl.cnf
# Here are some examples of the usage of nsCertType. If it is omitted
# nsCertType                    = server
# nsCertType = objsign
# nsCertType = client, email
# nsCertType = client, email, objsign
# JY ADDED -- Make a cert with nsCertType set to "server"
nsCertType                      = server
# nsCertType = sslCA, emailCA
Here are the certs I've created for this go-around (and unfortunately I feel like I'm spinning in circles)









## CA Cert / Key

-r-------- 1 root   root   2216 Nov 29 18:08 /etc/pki/CA/certs/ca.crt
-r-------- 1 root   root   3243 Nov 29 18:08 /etc/pki/CA/private/ca.key


## Server Cert /Key

-r-------- 1 root   root     1903 Nov 29 18:23 /etc/pki/tls/certs/ops.jokefire.com.crt
-r-------- 1 root   root     3243 Nov 29 18:23 /etc/pki/tls/private/ops.jokefire.com.key
The guide that I used to create the keys for this attempt can be found here:










http://social.rocho.org/jan/selfsign.html
Which is a good one. I've used it before.
The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In a step below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical.
So I created the certs with differing hostnames for the CN section in the root CA cert and the sever certificate:
CA - storage.jokefire.com
Server - ops,jokefire.com

Both of which are in the hosts file and pointing to the internal IP of the EC2 instance.
And here was the config for this attempt:
bacula-dir.conf
## Bacula Dir config

Director {                            # define myself
  Name = storage.jokefire.com
  DIRport = 9101                # where we listen for UA connections
  QueryFile = "/etc/bacula/query.sql"
  WorkingDirectory = "/var/spool/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 1
  Password = "secret"         # Console password
  Messages = Daemon
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

# Client (File Services) to backup
Client {
  Name = ops.jokefire.com
  Address = ops.jokefire.com
  FDPort = 9102
  Catalog = JokefireCatalog
  Password = "secret"          # password for FileDaemon
  File Retention = 14 days            # 14 days
  Job Retention = 14d            # 14 days
  AutoPrune = yes                     # Prune expired Jobs/Files
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}
bacula-fd.conf
## Bacula FD config

#
Director {
  Name = storage.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

FileDaemon {                          # this is me
  Name = storage.jokefire.com
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/bacula
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}
bacula-sd.conf 
## Bacula SD config

Storage {                             # definition of myself
  Name = storage.jokefire.com
  SDPort = 9103                  # Director's port
  WorkingDirectory = "/var/spool/bacula"
  Pid Directory = "/var/run"
  Maximum Concurrent Jobs = 20
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}

#
# List Directors who are permitted to contact Storage daemon
#
Director {
  Name = storage.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
  #Monitor = yes
}
bconsole.conf
## Bconsole
Director {
  Name = storage.jokefire.com
  DIRport = 9101
  address = storage.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
  TLS Enable = yes
  TLS Require = yes
}
And this was the result of that attempt:

[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101







TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Ques








ti.html#SECTION00260000000000000000 for help.

Less verbose error than last time! So I feel that I may be getting closer. :)









Nothing turns up in the bacula log for some reason when I attempt. Oh well.

Next I tried commenting out tls options on just FD and SD to see if I could get DIR and Console to communicate via TLS.
Same EXACT outcome.









[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101







TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.
You guys have been great in responding and very patient. I hope this problem  isn't wearing as thin on your nerves at this point as it is on mine! lol
Thanks again!
Tim
On Fri, Nov 29, 2013 at 3:52 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:
Hi Tim!

Can you check this http://bacula.10910.n7.nabble.com/bacula-and-tls-Can-t-get-that-working-td44677.html ?

Regards,
Ana
On Fri, Nov 29, 2013 at 5:30 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:
Hello Ana and Iban,

Nice to meet you too and you´re welcome :)

Thanks! :)

You are having problem in TLS communication between bconsole and director.
I suggest you to remove all the other TLS configuration (client, storage) and try to resolve this one first. When I tried this configuration, I remember doing that: TLS between director and bconsole, TLS between director and client, and so on.
Ok, well I took your advice and commented out the TLS configuration in the client section of bacula-dir, and commented it out entirely of the bacula-sd and bacula-fd configuration files. After bouncing the services again and going into bconsole I get the same error:
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
29-Nov 15:06 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.
I don´t know if this could be an issue, but your certificate have OU issuer different from OU subject:

I'm actually not obscuring the rest of the cert data this time around. So you can see that the apparent disparity to which you refer was actually a mistake on my part in obscuring the data. However I don't see anything too threatening in revealing the info here.
[root@storage:/etc/bacula] #openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject  | grep -i -v -e public
        Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=storage.jokefire.com
Looks like it agrees to me! So there shouldn't be a disparity of this nature causing the error I assume.

And in your bacula-sd.conf, also remove or set it to no: "TLS Verify Peer = yes".
I did try a bounce with this change in place, and it made no difference here either. I got the same exact error.

I do not know which is you bacula version, but in the bconsole configuration file , i have the address value pointing to "directors machine name":

I do not know how to check the bacula version other than that of bconsole which is:
Version: 5.2.13 (19 February 2013) x86_64-unknown-linux-gnu redhat
And I don't see any disparity between the director listed in the bacula-dir file and in the bconsole











bacula-dir.conf


Director {                            # define myself
  Name = storage.jokefire.com


bconsole.conf

Director {
  Name = storage.jokefire.com
Really i do not see any other problem.

Interesting to know!
Have you check the firewall??
Well, on my first attempt I am merely trying to backup only the localhost. I know that there are two different names listed here (storage.jokefire.com and ops.jokefire.com) but these are merely two different DNS names for the same host. So the firewall shouldn't come into play here. Plus the fact that this is an EC2 host and I mange the firewall with AWS Security Groups and leave IPTables turned off.

But I wonder if that could also be another problem? Tho I don't see it being part of the problem I'm having with getting bacula to agree with it's own TLS configuration.

I really hope that the problem we're having here isn't centered around my using self-signed certs. I'd hate to shell out for a commercial one, especially as I consider the commercial cert business to be sort of a scam.

Thanks!
Tim
On Fri, Nov 29, 2013 at 2:41 PM, Iban Cabrillo <cabrillo AT ifca.unican DOT es> wrote:
Hi Tim, Ana,

I do not know which is you bacula version, but in the bconsole configuration file , i have the address value pointing to "directors machine name":

Director {
Name = localhost-dir
DIRport = 9101
address = bacula.example.org
Password = "somesecret"

TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
}
Really i do not see any other problem.

Have you check the firewall??

Regards, I
2013/11/29 Ana Emília M. Arruda <emiliaarruda AT gmail DOT com>
Hi Tim,

Nice to meet you too and you´re welcome :)
You are having problem in TLS communication between bconsole and director.
I suggest you to remove all the other TLS configuration (client, storage) and try to resolve this one first. When I tried this configuration, I remember doing that: TLS between director and bconsole, TLS between director and client, and so on.

I don´t know if this could be an issue, but your certificate have OU issuer different from OU subject:

issuer = /C=US/ST=XX/L=XX/O=XX/OU=XXX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com

And in your bacula-sd.conf, also remove or set it to no: "TLS Verify Peer = yes".

Regards,
Ana
On Fri, Nov 29, 2013 at 3:16 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:
Hello Ana,

Nice to meet you and thank you for your input as well.

Well I tried your suggestion and unfortunately I haven't had any more luck than with Iban's.
Here, for reference, are my TLS configs again.
bacula-dir.conf

Director {                            # define myself
  Name = storage.jokefire.com
  DIRport = 9101                # where we listen for UA connections
  QueryFile = "/etc/bacula/query.sql"
  WorkingDirectory = "/var/spool/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 1
  Password = "secret"         # Console password
  Messages = Daemon
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = no
}

# Client (File Services) to backup












Client {
  Name = ops.jokefire.com
  Address = ops.jokefire.com
  FDPort = 9102
  Catalog = JokefireCatalog
  Password = "secret"          # password for FileDaemon
  File Retention = 14 days            # 14 days
  Job Retention = 14d            # 14 days
  AutoPrune = yes                     # Prune expired Jobs/Files
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
}

(testing with just one client until I get this sorted out)













Director {
  Name = storage.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
}

FileDaemon {                          # this is me
  Name = storage.jokefire.com
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/bacula
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
}

bacula-sd.conf

Storage {                             # definition of myself
  Name = storage.jokefire.com
  SDPort = 9103                  # Director's port
  WorkingDirectory = "/var/spool/bacula"
  Pid Directory = "/var/run"
  Maximum Concurrent Jobs = 20
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
}

bconsole.conf

Director {
  Name = storage.jokefire.com
  DIRport = 9101
  address = storage.jokefire.com
  Password = "secret"
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
}

And the permissions on the cert files appears to be correct:

-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 /etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 /etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 /etc/pki/tls/private/storage.jokefire.com.key
And the services bounce without any complaint:
[root@storage:~] #bounce-bacula
Stopping Bacula Storage services:                          [  OK  ]
Starting Bacula Storage services:                          [  OK  ]
Stopping Bacula File services:                             [  OK  ]
Starting Bacula File services:                             [  OK  ]
Stopping Bacula Director services:                         [  OK  ]
Starting Bacula Director services:                         [  OK  ]
Yet the same error as before is produced:

[root@storage:~] #bconsole
Connecting to Director storage.jokefire.com:9101
29-Nov 13:08 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XXX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.
And I see that the subject line from the cert agrees with the error that I'm seeing in Bacula.
#openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject  | grep -i -v -e public
        Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokefire.com
Looking forward to coming to some sort of resolution with this, it's been days and days that I've been working on it. And I certainly appreciate everyone's help and input.
Best,
Tim
On Thu, Nov 28, 2013 at 2:55 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:
Hi Tim! Hi Iban!

Maybe the problem is in using "TLS Verify Peer = yes" with self-signed certificates. I found in http://www.bacula.org/manuals/en/concepts/concepts/Bacula_TLS_Communication.html:

TLS Verify Peer = <yes|no>

Verify peer certificate. Instructs server to request and verify the client's x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used, in which case the client certificate must correspond to the Allowed Common Name specified. This directive is valid only for a server and not in a client context.
bacula-sd.conf
Storage {                             # definition of myself
...
# Peer certificate is not required/requested -- peer validity
     # is verified by the storage connection cookie provided to the
     # File Daemon by the director.
     TLS Verify Peer = no
...
}
A time ago I configured a test environment with TLS and I remember using "TLS Verify Peer = no" because of the self-signed certificates.
I think you can use "TLS Verify Peer = yes"  combined with:
TLS Allowed CN = <string list>
Common name attribute of allowed peer certificates. If this directive is specified, all server certificates will be verified against this list. This can be used to ensure that only the CA-approved Director may connect. This directive may be specified more than once.
Best regards,
Ana

On Thu, Nov 28, 2013 at 4:07 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:

Hi Iban,

HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to create the cert without the email value?? /emailAddress=bluethundr AT gmail DOT com, only CN=storage.jokefire.com.

Have you check too that these files:

/etc/pki/tls/certs/storage.
jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key

belongs to bacula user ?

regards, I

I was able to recreate the cert without the email address and ensure that the files were owned by the bacula user:

[root@storage:~/bacula-certs-new] #ls -l /etc/pki/tls/certs/storage.jokefire.com.crt /etc/pki/tls/private/storage.jokefire.com.key /etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 /etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 /etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 /etc/pki/tls/private/storage.jokefire.com.key
You have mail in /var/spool/mail/root

And this is what the Subject line of the key file looks like now:

openssl x509 -in /etc/pki/tls/certs/storage.j
okefire.com.crt -noout -text

Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef
ire.com

Once again all services bounce cleanly.

However when I go into bconsole this is what I find:

[root@storage:~/bacula-certs-new] #bconsole
Connecting to Director storage.jokefire.com:9101
28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.

Passwords have not been changed from the working configs, which have been in place and working for several months now.

Any further thoughts?

Many thanks and I hope you are enjoying your holiday!

Tim

On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo <cabrillo AT ifca.unican DOT es> wrote:

HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to create the cert without the email value?? /emailAddress=bluethundr AT gmail DOT com, only CN=storage.jokefire.com.

Have you check too that these files:

/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key

belongs to bacula user ?

regards, I

2013/11/28 Tim Dunphy <bluethundr AT gmail DOT com>

Hello Iban! And thank you for your reply.

I have a similar configuration. I think that the problem is in the CN:
CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com

please could you show the value for DirAddress = bacula.example.org

in my case:

DirAddress = bacula.example.org

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key

This is my director configuration from bacula-dir.conf

Director {                            # define myself
Name = storage.jokefire.com
DIRport = 9101                # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/spool/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 1
Password = "secret"         # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}

I hope I got you right in that this was what you needed to know.

Looking at the cert:

openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text

Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=bacula.example.org

openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text

Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com

[root@storage:~] #hostname -f
storage.jokefire.com

The CN must be the sme that DirAddress (I did not use email address for cert sign)

It appears as if the DirAddress and the common name do agree. Might there be something else I could have missed?

Thanks
Tim

On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo <cabrillo AT ifca.unican DOT es> wrote:

Hi Tim,
I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com

please could you show the value for DirAddress = bacula.example.org

in my case:

DirAddress = bacula.example.org

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key

Looking at the cert:

openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text

Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=bacula.example.org

The CN must be the sme that DirAddress (I did not use email address for cert sign)

Regards, I

2013/11/27 Tim Dunphy <bluethundr AT gmail DOT com>

Hello all,

I'm trying to add TLS encryption to my bacula setup.

I've been following this guide which got me almost all of the way there:

http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/

I modified the following sections in my bacula-dir.conf file:

Director { # define myself

Name = storage.jokefire.com

DIRport = 9101 # where we listen for UA connections

QueryFile = "/etc/bacula/query.sql"

WorkingDirectory = "/var/spool/bacula"

PidDirectory = "/var/run"

Maximum Concurrent Jobs = 1

Password = "secret" # Console password

Messages = Daemon

TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

TLS Enable = yes

TLS Require = yes

TLS Verify Peer = yes

}

Client {

Name = ops.jokefire.com

Address = ops.jokefire.com

FDPort = 9102

Catalog = JokefireCatalog

Password = "secret" # password for FileDaemon

File Retention = 14 days # 14 days

Job Retention = 14d # 14 days

AutoPrune = yes # Prune expired Jobs/Files

TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

TLS Enable = yes

TLS Require = yes

}

And in my bacula-fd.conf

Director {

Name = storage.jokefire.com

Password = "secret"

TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

TLS Enable = yes

TLS Require = yes

}

FileDaemon { # this is me

Name = storage.jokefire.com

FDport = 9102 # where we listen for the director

WorkingDirectory = /var/bacula

Pid Directory = /var/run

Maximum Concurrent Jobs = 20

TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

TLS Enable = yes

TLS Require = yes

}

In bacula-sd.conf:

Storage { # definition of myself

Name = storage.jokefire.com

SDPort = 9103 # Director's port

WorkingDirectory = "/var/spool/bacula"

Pid Directory = "/var/run"

Maximum Concurrent Jobs = 20

TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

TLS Enable = yes

TLS Require = yes

TLS Verify Peer = yes

}

And finally in bconsole.conf:

Director {

Name = storage.jokefire.com

DIRport = 9101

address = storage.jokefire.com

Password = "secret"

TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

TLS Enable = yes

TLS Require = yes

}

Then I bounced the services so all seems well at this point:

[root@storage:/etc/bacula] #bounce-bacula

Stopping Bacula Storage services: [ OK ]

Starting Bacula Storage services: [ OK ]

Stopping Bacula File services: [ OK ]

Starting Bacula File services: [ OK ]

Stopping Bacula Director services: [ OK ]

Starting Bacula Director services: [ OK ]

(wrote a script to bounce all services because I'm lazy)

But when I go into bconsole I get the following (until I restore from backup)

[root@storage:/etc/bacula] #bconsole

Connecting to Director storage.jokefire.com:9101

26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com, ERR=18:self signed certificate

TLS negotiation failed

Director authorization problem.

Most likely the passwords do not agree.

If you are using TLS, there may have been a certificate validation error during the TLS handshake.

Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.

I've saved my work with TLS so I'm eager to get this going. I used the following guide to generating the certs, and I'm wondering if the problem could possibly be in the way I generated the certs?

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

Thanks for any and all advice!

Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
"El problema con el mundo es que los estúpidos están seguros de todo y los inteligentes están llenos de dudas"

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
"El problema con el mundo es que los estúpidos están seguros de todo y los inteligentes están llenos de dudas"

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
"El problema con el mundo es que los estúpidos están seguros de todo y los inteligentes están llenos de dudas"
--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users