Re: [Bacula-users] bacula TLS help
2013-11-29 15:34:51
Hello Ana and Iban,
Nice to meet you too and you´re welcome :)
Thanks! :)
You are having problem in TLS communication between bconsole and director.
I suggest you to remove all the other TLS configuration (client,
storage) and try to resolve this one first. When I tried this
configuration, I remember doing that: TLS between director and bconsole,
TLS between director and client, and so on.
Ok, well I took your advice and commented out the TLS configuration in the client section of bacula-dir, and commented it out entirely of the bacula-sd and bacula-fd configuration files. After bouncing the services again and going into bconsole I get the same error:
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
29-Nov 15:06 bconsole JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, subject = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=storage.jokefire.com, ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.
I don´t know if this could be an issue, but your certificate have OU issuer different from OU subject:
I'm actually not obscuring the rest of the cert data this time around. So you can see that the apparent disparity to which you refer was actually a mistake on my part in obscuring the data. However I don't see anything too threatening in revealing the info here.
[root@storage:/etc/bacula] #openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text | grep -i subject | grep -i -v -e public
Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=storage.jokefire.com
Looks like it agrees to me! So there shouldn't be a disparity of this nature causing the error I assume.
And in your bacula-sd.conf, also remove or set it to no: "TLS Verify Peer = yes".
I did try a bounce with this change in place, and it made no difference here either. I got the same exact error.
I do not know which is you bacula version, but in the
bconsole configuration file , i have the address value pointing to
"directors machine name":
I do not know how to check the bacula version other than that of bconsole which is:
Version: 5.2.13 (19 February 2013) x86_64-unknown-linux-gnu redhat
And I don't see any disparity between the director listed in the bacula-dir file and in the bconsole
bacula-dir.conf
Director { # define myself
Name = storage.jokefire.com
bconsole.conf
Director {
Name = storage.jokefire.com
Really i do not see any other problem.
Interesting to know!
Have you check the firewall??
Well, on my first attempt I am merely trying to backup only the localhost. I know that there are two different names listed here ( storage.jokefire.com and ops.jokefire.com) but these are merely two different DNS names for the same host. So the firewall shouldn't come into play here. Plus the fact that this is an EC2 host and I mange the firewall with AWS Security Groups and leave IPTables turned off.
But I wonder if that could also be another problem? Tho I don't see it being part of the problem I'm having with getting bacula to agree with it's own TLS configuration.
I really hope that the problem we're having here isn't centered around my using self-signed certs. I'd hate to shell out for a commercial one, especially as I consider the commercial cert business to be sort of a scam.
Thanks! Tim
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Iban Cabrillo
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Iban Cabrillo
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Ana Emília M. Arruda
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Ana Emília M. Arruda
- Re: [Bacula-users] bacula TLS help, Iban Cabrillo
- Re: [Bacula-users] bacula TLS help,
Tim Dunphy <=
- Re: [Bacula-users] bacula TLS help, Ana Emília M. Arruda
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Dimitri Maziuk
- Re: [Bacula-users] bacula TLS help, Tim Dunphy
- Re: [Bacula-users] bacula TLS help, Dimitri Maziuk
|
|
|