|
Re: [Bacula-users] TLS problem
2010-03-25 12:47:15
Hi there,
Finally I could fix the issue. :) The problem was with the FQDN... My Bacula-components used IP address instead of FQDN... It worked until I did not useTLS, but needed FQDN to make TLS working. ;)
cheers,
Zsolt
On Wed, Mar 24, 2010 at 6:55 PM, Zsolt Kozak <kozakzs AT gmail DOT com> wrote:
Hi there,
I googled around quite lot and got no answer for my TLS-issue, so I'm trying this email list.
First of all I have a tested Bacula-system with working director, storage, filedaemon, bat and bconsole. I tried to set TLS in each components but failed, so I thought I was trying it step by step. My first step was making a TLS-communication between the director and a bconsole only. I failed. :( It's interesting that it seemed that the TLS-communication was set up on the director side correctly, it failed on the bconsole side only.
Here is the debug messages on both sides.
director:
bacula-dir: bnet.c:669-0 who=client host=192.168.99.55 port=36131
bacula-dir: jcr.c:841-0 set_jcr_job_status(*System*, C)
bacula-dir: jcr.c:850-0 OnEntry JobStatus=bacula-dir: jcr.c:861-0 Set new stat. old: bacula-dir: jcr
.c:866-0 leave set_job_status old=bacula-dir: job.c:1349-0 wstorage=InternalStorage
bacula-dir: job.c:1358-0 wstore=InternalStorage where=Pool resource
bacula-dir: job.c:1010-0 JobId=0 created Job=-Console-.2010-03-24_18.42.43_02
bacula-dir: jcr.c:841-0 set_jcr_job_status(-Console-.2010-03-24_18.42.43_02, R)
bacula-dir: jcr.c:850-0 OnEntry JobStatus=C newJobstatus=R
bacula-dir: jcr.c:861-0 Set new stat. old: C,0 new: R,0
bacula-dir: jcr.c:866-0 leave set_job_status old=C new=R
bacula-dir: cram-md5.c:73-0 send: auth cram-md5 <1970824079.1269452563@bacula-dir> ssl=2
bacula-dir: cram-md5.c:133-0 cram-get received: auth cram-md5 <1490485609.1269452563@bconsole> ssl=2
bacula-dir: cram-md5.c:152-0 sending resp to challenge: sH0FRSMzF1+uG4Ab6CJIQD
bacula-dir: bnet.c:262-0 TLS server negotiation established.
bacula-dir: watchdog.c:193-0 Registered watchdog 8bdcce8, interval 120<NULL>
bacula-dir: btimers.c:187-0 Start bsock timer 8c02300 tid=b5f03b70 for 120 secs at 1269452563
bacula-dir: btimers.c:201-0 Stop bsock timer 8c02300 tid=b5f03b70 at 1269452563.
bacula-dir: watchdog.c:213-0 Unregistered watchdog 8bdcce8
bacula-dir: watchdog.c:193-0 Registered watchdog 8bdcce8, interval 120<NULL>
bacula-dir: btimers.c:187-0 Start bsock timer 8c02300 tid=b5f03b70 for 120 secs at 1269452563
bacula-dir: btimers.c:201-0 Stop bsock timer 8c02300 tid=b5f03b70 at 1269452563.
bacula-dir: watchdog.c:213-0 Unregistered watchdog 8bdcce8
bacula-dir: job.c:1064-0 Start dird free_jcr
bacula-dir: job.c:1035-0 Free JCR fname
bacula-dir: job.c:1121-0 End dird free_jcr
bacula-dir: message.c:460-0 Close_msg jcr=8bdb0f8
bacula-dir: message.c:460-0 Close_msg jcr=0
bacula-dir: message.c:472-0 ===Begin close msg resource at 8bc0de0
bacula-dir: message.c:557-0 Done walking message chain.
bacula-dir: message.c:562-0 ===End close msg resource
bacula-dir: mem_pool.c:370-0 garbage collect memory pool
bconsole:
bconsole: parse_conf.c:881-0 Enter parse_config()
bconsole: parse_conf.c:883-0 parse_config pass 1
bconsole: lex.c:186-0 Open config file: /etc/bacula/bconsole.conf
bconsole: lex.c:239-0 fget line=1 #
bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
bconsole: lex.c:239-0 fget line=2 # Bacula User Agent (or Console) Configuration File
bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
bconsole: lex.c:239-0 fget line=3 #
bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
bconsole: lex.c:239-0 fget line=4
bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
bconsole: lex.c:239-0 fget line=5 Director {
bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:202-0 Item=name def=no defval=0
bconsole: parse_conf.c:202-0 Item=description def=no defval=0
bconsole: parse_conf.c:202-0 Item=dirport def=yes defval=9101
bconsole: parse_conf.c:202-0 Item=address def=no defval=0
bconsole: parse_conf.c:202-0 Item=password def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlsauthenticate def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlsenable def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlsrequire def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlscacertificatefile def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlscacertificatedir def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlscertificate def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlskey def=no defval=0
bconsole: parse_conf.c:202-0 Item=heartbeatinterval def=yes defval=0
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_BOB
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_EOL
bconsole: lex.c:239-0 fget line=6 Name = bacula-dir
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for name
bconsole: lex.c:239-0 fget line=7 DIRport = 9101
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for dirport
bconsole: lex.c:239-0 fget line=8 address = 192.168.99.55
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for address
bconsole: lex.c:239-0 fget line=9 Password = "secret"
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for password
bconsole: lex.c:239-0 fget line=10 TLS Enable = yes
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlsenable
bconsole: lex.c:239-0 fget line=11 TLS Require = yes
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlsrequire
bconsole: lex.c:239-0 fget line=12 TLS CA Certificate File = /etc/bacula/certs/CA.pem
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlscacertificatefile
bconsole: lex.c:239-0 fget line=13 TLS Certificate = /etc/bacula/certs/bacula-dir-tls-client-cert.pem
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlscertificate
bconsole: lex.c:239-0 fget line=14 TLS Key = /etc/bacula/certs/bacula-dir-tls-client-key.pem
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlskey
bconsole: lex.c:239-0 fget line=15 }
bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_EOB
bconsole: parse_conf.c:979-0 T_EOB => define new resource
bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
bconsole: parse_conf.c:883-0 parse_config pass 2
bconsole: lex.c:186-0 Open config file: /etc/bacula/bconsole.conf
bconsole: lex.c:239-0 fget line=1 #
bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
bconsole: lex.c:239-0 fget line=2 # Bacula User Agent (or Console) Configuration File
bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
bconsole: lex.c:239-0 fget line=3 #
bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
bconsole: lex.c:239-0 fget line=4
bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
bconsole: lex.c:239-0 fget line=5 Director {
bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:202-0 Item=name def=no defval=0
bconsole: parse_conf.c:202-0 Item=description def=no defval=0
bconsole: parse_conf.c:202-0 Item=dirport def=yes defval=9101
bconsole: parse_conf.c:202-0 Item=address def=no defval=0
bconsole: parse_conf.c:202-0 Item=password def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlsauthenticate def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlsenable def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlsrequire def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlscacertificatefile def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlscacertificatedir def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlscertificate def=no defval=0
bconsole: parse_conf.c:202-0 Item=tlskey def=no defval=0
bconsole: parse_conf.c:202-0 Item=heartbeatinterval def=yes defval=0
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_BOB
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_EOL
bconsole: lex.c:239-0 fget line=6 Name = bacula-dir
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for name
bconsole: lex.c:239-0 fget line=7 DIRport = 9101
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for dirport
bconsole: lex.c:239-0 fget line=8 address = 192.168.99.55
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for address
bconsole: lex.c:239-0 fget line=9 Password = "secret"
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for password
bconsole: lex.c:239-0 fget line=10 TLS Enable = yes
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlsenable
bconsole: lex.c:239-0 fget line=11 TLS Require = yes
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlsrequire
bconsole: lex.c:239-0 fget line=12 TLS CA Certificate File = /etc/bacula/certs/CA.pem
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlscacertificatefile
bconsole: lex.c:239-0 fget line=13 TLS Certificate = /etc/bacula/certs/bacula-dir-tls-client-cert.pem
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlscertificate
bconsole: lex.c:239-0 fget line=14 TLS Key = /etc/bacula/certs/bacula-dir-tls-client-key.pem
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
bconsole: parse_conf.c:960-0 calling handler for tlskey
bconsole: lex.c:239-0 fget line=15 }
bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_EOB
bconsole: parse_conf.c:979-0 T_EOB => define new resource
bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
No record for 1001 console
Director: name=bacula-dir address=192.168.99.55 DIRport=9101
bconsole: parse_conf.c:1013-0 Leave parse_config()
bconsole: watchdog.c:78-0 Initialising NicB-hacked watchdog thread
Connecting to Director 192.168.99.55:9101
bconsole: watchdog.c:250-0 NicB-reworked watchdog thread entered
bconsole: watchdog.c:193-0 Registered watchdog 907ec60, interval 15<NULL>
bconsole: btimers.c:155-0 Start thread timer 907ec20 tid b71c96d0 for 15 secs.
bconsole: bsock.c:221-0 Current host[ipv4:192.168.99.55:9101] All host[ipv4:192.168.99.55:9101]
bconsole: bsock.c:155-0 who=Director daemon host=192.168.99.55 port=9101
bconsole: btimers.c:215-0 Stop thread timer 907ec20 tid=b71c96d0.
bconsole: watchdog.c:213-0 Unregistered watchdog 907ec60
bconsole: watchdog.c:193-0 Registered watchdog 907ec60, interval 300<NULL>
bconsole: btimers.c:187-0 Start bsock timer 907ec20 tid=b71c96d0 for 300 secs at 1269452563
bconsole: cram-md5.c:133-0 cram-get received: auth cram-md5 <1970824079.1269452563@bacula-dir> ssl=2
bconsole: cram-md5.c:152-0 sending resp to challenge: hz/2wWs37EI/f6+LO9gDeA
bconsole: cram-md5.c:80-0 send: auth cram-md5 <1490485609.1269452563@bconsole> ssl=2
bconsole: cram-md5.c:99-0 Authenticate OK sH0FRSMzF1+uG4Ab6CJIQD
TLS negotiation failed
bconsole: btimers.c:201-0 Stop bsock timer 907ec20 tid=b71c96d0 at 1269452563.
bconsole: watchdog.c:213-0 Unregistered watchdog 907ec60
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376000000000
0000000 for help.
bconsole: watchdog.c:312-0 NicB-reworked watchdog thread exited
I am using Bacula on an Ubuntu 9.10 but from Debian Lenny Backports because Ubuntu missies the latest release of Bacula. Version number is
5.0.1-1~bpo50+1. The bconsole and the director is on the same host.
I generated the certificates by EJBCA. I generated a server certificate for the director and a client certificate for the bconsole. I also tried to generate certificates "by hand" with openssl. Got the same error. I tried to connect to the director by another bconsole from another host. Got the same error. I tried to use different CNs in the certificates: simple name, FQDN, IP address. Got the same error.
Do you have any idea what's wrong? It's interesting that the TLS-connection is OK on the server side, only the bconsole has problems with it....
Any help appreciated.
thanks,
Zsolt
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|
