Hello all,

 I'm trying to add TLS encryption to my bacula setup. 

 

 I've been following this guide which got me almost all of the way there:

 http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/

I modified the following sections in my bacula-dir.conf file:

Director {                            # define myself

  Name = storage.jokefire.com

  DIRport = 9101                # where we listen for UA connections

  QueryFile = "/etc/bacula/query.sql"

  WorkingDirectory = "/var/spool/bacula"

  PidDirectory = "/var/run"

  Maximum Concurrent Jobs = 1

  Password = "secret"         # Console password

  Messages = Daemon

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

  TLS Verify Peer = yes

}

Client {

  Name = ops.jokefire.com

  Address = ops.jokefire.com

  FDPort = 9102

  Catalog = JokefireCatalog

  Password = "secret"          # password for FileDaemon

  File Retention = 14 days            # 14 days

  Job Retention = 14d            # 14 days

  AutoPrune = yes                     # Prune expired Jobs/Files

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

And in my bacula-fd.conf

Director {

  Name = storage.jokefire.com

  Password = "secret"

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

FileDaemon {                          # this is me

  Name = storage.jokefire.com

  FDport = 9102                  # where we listen for the director

  WorkingDirectory = /var/bacula

  Pid Directory = /var/run

  Maximum Concurrent Jobs = 20

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

In bacula-sd.conf:

Storage {                             # definition of myself

  Name = storage.jokefire.com

  SDPort = 9103                  # Director's port

  WorkingDirectory = "/var/spool/bacula"

  Pid Directory = "/var/run"

  Maximum Concurrent Jobs = 20

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

  TLS Verify Peer = yes

}

And finally in bconsole.conf:

Director {

  Name = storage.jokefire.com

  DIRport = 9101

  address = storage.jokefire.com

  Password = "secret"

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

Then I bounced the services so all seems well at this point:

[root@storage:/etc/bacula] #bounce-bacula

Stopping Bacula Storage services:                          [  OK  ]

Starting Bacula Storage services:                          [  OK  ]

Stopping Bacula File services:                             [  OK  ]

Starting Bacula File services:                             [  OK  ]

Stopping Bacula Director services:                         [  OK  ]

Starting Bacula Director services:                         [  OK  ]

(wrote a script to bounce all services because I'm lazy)

But when I go into bconsole I get the following (until I restore from backup)

[root@storage:/etc/bacula] #bconsole

Connecting to Director storage.jokefire.com:9101

26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com, ERR=18:self signed certificate

TLS negotiation failed

Director authorization problem.

Most likely the passwords do not agree.

If you are using TLS, there may have been a certificate validation error during the TLS handshake.

Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.

I've saved my work with TLS so I'm eager to get this going. I used the following guide to generating the certs, and I'm wondering if the problem could possibly be in the way I generated the certs?

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

Thanks for any and all advice!

Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users