Hi Ana,
Thanks for pointing me to that thread. The guys problem was very similar to my own. But ultimately no such luck after following the advice there sad to say.
The part that I keyed onto was where he said this:
Thank you. After a while I figured out how to do this. Furthermore I
had "nsCertType = server" in my caconfig.cnf and commented it. Now I
see...
That was on an Ubuntu machine. I'm on a CentOS 5.9 host and on my setup the file was openssl.cnf. I set the recommended settings there and regenerated the keys.
[root@storage:/etc/bacula] #grep -i nscerttype /etc/openvpn/easy-rsa/1.0/openssl.cnf
# Here are some examples of the usage of nsCertType. If it is omitted
# nsCertType = server
# nsCertType = objsign
# nsCertType = client, email
# nsCertType = client, email, objsign
# JY ADDED -- Make a cert with nsCertType set to "server"
nsCertType = server
# nsCertType = sslCA, emailCA
Here are the certs I've created for this go-around (and unfortunately I feel like I'm spinning in circles)
## CA Cert / Key
-r-------- 1 root root 2216 Nov 29 18:08 /etc/pki/CA/certs/ca.crt
-r-------- 1 root root 3243 Nov 29 18:08 /etc/pki/CA/private/ca.key
## Server Cert /Key
-r-------- 1 root root 1903 Nov 29 18:23 /etc/pki/tls/certs/ops.jokefire.com.crt
-r-------- 1 root root 3243 Nov 29 18:23 /etc/pki/tls/private/ops.jokefire.com.key
The guide that I used to create the keys for this attempt can be found here:
http://social.rocho.org/jan/selfsign.html
Which is a good one. I've used it before.
The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In a step below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical.
So I created the certs with differing hostnames for the CN section in the root CA cert and the sever certificate:
Both of which are in the hosts file and pointing to the internal IP of the EC2 instance.
And here was the config for this attempt:
| bacula-dir.conf
## Bacula Dir config
Director { # define myself
Name = storage.jokefire.com
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/spool/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 1
Password = "secret" # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
# Client (File Services) to backup
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = "secret" # password for FileDaemon
File Retention = 14 days # 14 days
Job Retention = 14d # 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
|
bacula-fd.conf
## Bacula FD config
#
Director {
Name = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
FileDaemon { # this is me
Name = storage.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
bacula-sd.conf
## Bacula SD config
Storage { # definition of myself
Name = storage.jokefire.com
SDPort = 9103 # Director's port
WorkingDirectory = "/var/spool/bacula"
Pid Directory = "/var/run"
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
#
# List Directors who are permitted to contact Storage daemon
#
Director {
Name = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
#Monitor = yes
}
bconsole.conf
## Bconsole
Director {
Name = storage.jokefire.com
DIRport = 9101
address = storage.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
And this was the result of that attempt:
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Ques
ti.html#SECTION00260000000000000000 for help.
Less verbose error than last time! So I feel that I may be getting closer. :)
Nothing turns up in the bacula log for some reason when I attempt. Oh well.
Next I tried commenting out tls options on just FD and SD to see if I could get DIR and Console to communicate via TLS.
Same EXACT outcome.
[root@storage:/etc/bacula] #bconsole
Connecting to Director storage.jokefire.com:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000 for help.
You guys have been great in responding and very patient. I hope this problem isn't wearing as thin on your nerves at this point as it is on mine! lol
Thanks again!
Tim