Hi Tim! Hi Iban!

Maybe the problem is in using "TLS Verify Peer = yes" with self-signed certificates. I found in http://www.bacula.org/manuals/en/concepts/concepts/Bacula_TLS_Communication.html:

TLS Verify Peer = <yes|no>

Verify peer certificate. Instructs server to request and verify the client's x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used, in which case the client certificate must correspond to the Allowed Common Name specified. This directive is valid only for a server and not in a client context.

bacula-sd.conf

Storage {                             # definition of myself

...

# Peer certificate is not required/requested -- peer validity
     # is verified by the storage connection cookie provided to the
     # File Daemon by the director.
     TLS Verify Peer = no

...

}

A time ago I configured a test environment with TLS and I remember using "TLS Verify Peer = no" because of the self-signed certificates.

I think you can use "TLS Verify Peer = yes"  combined with:

TLS Allowed CN = <string list>

Common name attribute of allowed peer certificates. If this directive is specified, all server certificates will be verified against this list. This can be used to ensure that only the CA-approved Director may connect. This directive may be specified more than once.

Best regards,

Ana

On Thu, Nov 28, 2013 at 4:07 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:

Hi Iban,

HI Tim,

  I was pretty sure that the trouble was on the CN, could you tray to create the cert without the email value??  /emailAddress=bluethundr AT gmail DOT com, only CN=storage.jokefire.com.

 Have you check too that these files:

  /etc/pki/tls/certs/storage.

jokefire.com.crt

  /etc/pki/tls/private/storage.jokefire.com.key

belongs to bacula user ?

regards, I

I was able to recreate the cert without the email address and ensure that the files were owned by the bacula user:

[root@storage:~/bacula-certs-new] #ls -l /etc/pki/tls/certs/storage.jokefire.com.crt /etc/pki/tls/private/storage.jokefire.com.key /etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 /etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 /etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 /etc/pki/tls/private/storage.jokefire.com.key
You have mail in /var/spool/mail/root

And this is what the Subject line of the key file looks like now:

openssl x509 -in /etc/pki/tls/certs/storage.j
okefire.com.crt -noout -text

Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef
ire.com

Once again all services bounce cleanly.

However when I go into bconsole this is what I find:

[root@storage:~/bacula-certs-new] #bconsole
Connecting to Director storage.jokefire.com:9101
28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.

Passwords have not been changed from the working configs, which have been in place and working for several months now.

Any further thoughts?

Many thanks and I hope you are enjoying your holiday!

Tim

On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo <cabrillo AT ifca.unican DOT es> wrote:

HI Tim,

  I was pretty sure that the trouble was on the CN, could you tray to create the cert without the email value??  /emailAddress=bluethundr AT gmail DOT com, only CN=storage.jokefire.com.

 Have you check too that these files:

  /etc/pki/tls/certs/storage.jokefire.com.crt

  /etc/pki/tls/private/storage.jokefire.com.key

belongs to bacula user ?

regards, I

2013/11/28 Tim Dunphy <bluethundr AT gmail DOT com>

Hello Iban! And thank you for your reply.

 

 I have a similar configuration. I think that the problem is in the CN:
CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com
 

please could you show the value for   DirAddress = bacula.example.org

in my case:

  DirAddress = bacula.example.org

  TLS Enable = yes
  TLS Require = yes

  TLS Verify Peer = no
  TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
  TLS Certificate = /etc/bacula/certs/cert/bacula.crt
  TLS Key = /etc/bacula/certs/key/bacula.key

This is my director configuration from bacula-dir.conf

Director {                            # define myself
  Name = storage.jokefire.com
  DIRport = 9101                # where we listen for UA connections
  QueryFile = "/etc/bacula/query.sql"
  WorkingDirectory = "/var/spool/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 1
  Password = "secret"         # Console password
  Messages = Daemon
  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
}

I hope I got you right in that this was what you needed to know.

 

Looking at the cert:

openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text

Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=bacula.example.org

openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text

  Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com

[root@storage:~] #hostname -f
storage.jokefire.com

The CN must be the sme that DirAddress (I did not use email address for cert sign)

It appears as if the DirAddress and the common name do agree. Might there be something else I could have missed?

Thanks

Tim

On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo <cabrillo AT ifca.unican DOT es> wrote:

Hi Tim,

 I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com
 

please could you show the value for   DirAddress = bacula.example.org

in my case:

  DirAddress = bacula.example.org

  TLS Enable = yes
  TLS Require = yes

  TLS Verify Peer = no
  TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
  TLS Certificate = /etc/bacula/certs/cert/bacula.crt
  TLS Key = /etc/bacula/certs/key/bacula.key

Looking at the cert:

openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text

Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=bacula.example.org

The CN must be the sme that DirAddress (I did not use email address for cert sign)

Regards, I

2013/11/27 Tim Dunphy <bluethundr AT gmail DOT com>

Hello all,

 I'm trying to add TLS encryption to my bacula setup. 

 

 I've been following this guide which got me almost all of the way there:

 http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/

I modified the following sections in my bacula-dir.conf file:

Director {                            # define myself

  Name = storage.jokefire.com

  DIRport = 9101                # where we listen for UA connections

  QueryFile = "/etc/bacula/query.sql"

  WorkingDirectory = "/var/spool/bacula"

  PidDirectory = "/var/run"

  Maximum Concurrent Jobs = 1

  Password = "secret"         # Console password

  Messages = Daemon

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

  TLS Verify Peer = yes

}

Client {

  Name = ops.jokefire.com

  Address = ops.jokefire.com

  FDPort = 9102

  Catalog = JokefireCatalog

  Password = "secret"          # password for FileDaemon

  File Retention = 14 days            # 14 days

  Job Retention = 14d            # 14 days

  AutoPrune = yes                     # Prune expired Jobs/Files

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

And in my bacula-fd.conf

Director {

  Name = storage.jokefire.com

  Password = "secret"

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

FileDaemon {                          # this is me

  Name = storage.jokefire.com

  FDport = 9102                  # where we listen for the director

  WorkingDirectory = /var/bacula

  Pid Directory = /var/run

  Maximum Concurrent Jobs = 20

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

In bacula-sd.conf:

Storage {                             # definition of myself

  Name = storage.jokefire.com

  SDPort = 9103                  # Director's port

  WorkingDirectory = "/var/spool/bacula"

  Pid Directory = "/var/run"

  Maximum Concurrent Jobs = 20

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

  TLS Verify Peer = yes

}

And finally in bconsole.conf:

Director {

  Name = storage.jokefire.com

  DIRport = 9101

  address = storage.jokefire.com

  Password = "secret"

  TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/storage.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem

  TLS Enable = yes

  TLS Require = yes

}

Then I bounced the services so all seems well at this point:

[root@storage:/etc/bacula] #bounce-bacula

Stopping Bacula Storage services:                          [  OK  ]

Starting Bacula Storage services:                          [  OK  ]

Stopping Bacula File services:                             [  OK  ]

Starting Bacula File services:                             [  OK  ]

Stopping Bacula Director services:                         [  OK  ]

Starting Bacula Director services:                         [  OK  ]

(wrote a script to bounce all services because I'm lazy)

But when I go into bconsole I get the following (until I restore from backup)

[root@storage:/etc/bacula] #bconsole

Connecting to Director storage.jokefire.com:9101

26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com/emailAddress=bluethundr AT gmail DOT com, ERR=18:self signed certificate

TLS negotiation failed

Director authorization problem.

Most likely the passwords do not agree.

If you are using TLS, there may have been a certificate validation error during the TLS handshake.

Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.

I've saved my work with TLS so I'm eager to get this going. I used the following guide to generating the certs, and I'm wondering if the problem could possibly be in the way I generated the certs?

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

Thanks for any and all advice!

Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
"El problema con el mundo es que los estúpidos están seguros de todo y los inteligentes están llenos de dudas"

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
"El problema con el mundo es que los estúpidos están seguros de todo y los inteligentes están llenos de dudas"

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users