Re: [Bacula-users] bacula TLS help
2013-11-29 13:22:32
Hello Ana,
Nice to meet you and thank you for your input as well. Well I tried your suggestion and unfortunately I haven't had any more luck than with Iban's.
Here, for reference, are my TLS configs again. bacula-dir.conf
Director { # define myself
Name = storage.jokefire.com
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/spool/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 1
Password = "secret" # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
}
# Client (File Services) to backup
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = "secret" # password for FileDaemon
File Retention = 14 days # 14 days
Job Retention = 14d # 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
(testing with just one client until I get this sorted out)
Director {
Name = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
FileDaemon { # this is me
Name = storage.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
bacula-sd.conf
Storage { # definition of myself
Name = storage.jokefire.com
SDPort = 9103 # Director's port
WorkingDirectory = "/var/spool/bacula"
Pid Directory = "/var/run"
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
bconsole.conf
Director {
Name = storage.jokefire.com
DIRport = 9101
address = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
}
And the permissions on the cert files appears to be correct:
-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53 /etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54 /etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54 /etc/pki/tls/private/storage.jokefire.com.key
And the services bounce without any complaint:
[root@storage:~] #bounce-bacula
Stopping Bacula Storage services: [ OK ]
Starting Bacula Storage services: [ OK ]
Stopping Bacula File services: [ OK ]
Starting Bacula File services: [ OK ]
Stopping Bacula Director services: [ OK ]
Starting Bacula Director services: [ OK ]
Yet the same error as before is produced:
[root@storage:~] #bconsole
Connecting to Director storage.jokefire.com:9101
29-Nov 13:08 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XXX/CN=storage.jokefire.com, subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.
And I see that the subject line from the cert agrees with the error that I'm seeing in Bacula.
#openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject | grep -i -v -e public
Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokefire.com
Looking forward to coming to some sort of resolution with this, it's been days and days that I've been working on it. And I certainly appreciate everyone's help and input. Best,
Tim
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Iban Cabrillo
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Iban Cabrillo
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Ana Emília M. Arruda
- Re: [Bacula-users] bacula TLS help,
Tim Dunphy <=
- Re: [Bacula-users] bacula TLS help, Ana Emília M. Arruda
- Re: [Bacula-users] bacula TLS help, Iban Cabrillo
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Ana Emília M. Arruda
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Dimitri Maziuk
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Dimitri Maziuk
|
|
|