Re: [Bacula-users] bacula TLS help
2013-12-12 20:47:06
Hello again Ana and All,
I've one last hurdle to cross before getting this to work entirely for the remote clients. Again, the localhost is backing up and restoring successfully.
Tho I can bounce all bacula services on both the server and remote client, and enter the bacula console (bconsole) But when I do a st client this is what I see:
[root@ops:~/bacula-certs] #bconsole
Connecting to Director ops.jokefire.com:9101
1000 OK: ops.jokefire.com Version: 5.2.13 (19 February 2013)
Enter a period to cancel a command.
*st client
The defined Client resources are:
1: ops.jokefire.com
2: beta.jokefire.com
Select Client (File daemon) resource (1-2): 2
Connecting to Client beta.jokefire.com at beta.jokefire.com:9102
Failed to connect to Client beta.jokefire.com.
====
You have messages.
*
Doing a status client (st client) on the localhost (the ops host) works fine:
*st client
The defined Client resources are:
1: ops.jokefire.com
2: beta.jokefire.com
Select Client (File daemon) resource (1-2): 1
Connecting to Client ops.jokefire.com at ops.jokefire.com:9102
ops.jokefire.com Version: 5.2.13 (19 February 2013) x86_64-unknown-linux-gnu redhat
Daemon started 12-Dec-13 20:03. Jobs: run=0 running=0.
Heap: heap=262,144 smbytes=26,654 max_bytes=26,801 bufs=72 max_bufs=73
Sizeof: boffset_t=8 size_t=8 debug=0 trace=0
Running Jobs:
Director connected at: 12-Dec-13 20:11
No Jobs running.
====
Terminated Jobs:
JobId Level Files Bytes Status Finished Name
======================================================================
11 Incr 1,127 728.2 M OK 05-Dec-13 03:08 ops.jokefire.com
15 Full 1 215.5 M OK 05-Dec-13 03:47 Jokefire_BackupCatalog
19 12 1.497 K OK 06-Dec-13 21:55 RestoreFiles
5 Full 307,963 7.177 G OK 07-Dec-13 16:13 ops.jokefire.com
6 1 504 OK 07-Dec-13 16:36 RestoreFiles
7 Incr 245 522.9 M OK 07-Dec-13 19:31 ops.jokefire.com
8 Diff 248 533.3 M OK 08-Dec-13 03:15 ops.jokefire.com
9 Full 1 41.72 M OK 08-Dec-13 03:16 Jokefire_BackupCatalog
10 Incr 2,095 808.4 M OK 12-Dec-13 03:21 ops.jokefire.com
12 Full 1 41.98 M OK 12-Dec-13 03:24 Jokefire_BackupCatalog
====
|
If I take a look at the bacula logs I see this error message:
12-Dec 20:10 ops.jokefire.com JobId 0: Fatal error: bnet.c:343 TLS host certificate verification failed. Host name "beta.jokefire.com" did not match presented certificate
12-Dec 20:10 ops.jokefire.com JobId 0: Fatal error: TLS negotiation failed with FD at "beta.jokefire.com:9102".
What I've done is create the key, csr and certs on the beta host (the remote host I want to backup). And scp'd them over to the ops host (the bacula server).
On the bacula server (ops) I have the following certs:
-r-------- 1 bacula bacula 2212 Dec 5 21:20 /etc/pki/CA/certs/ca.crt
-r-------- 1 bacula bacula 1281 Dec 12 20:00 /etc/pki/tls/certs/beta.jokefire.com.pem
-r-------- 1 bacula bacula 1899 Dec 5 21:20 /etc/pki/tls/certs/ops.jokefire.com.crt
-r-------- 1 bacula bacula 497 Dec 12 20:01 /etc/pki/tls/private/beta.jokefire.com.key
-r-------- 1 bacula bacula 3243 Dec 5 21:20 /etc/pki/tls/private/ops.jokefire.com.key
In my bacula-dir I have the following:
Director { # define myself
Name = ops.jokefire.com
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/spool/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 1
Password = "secret" # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
# Define the main nightly save backup job
# By default, this job will back up to disk in /tmp
Job {
Name = "ops.jokefire.com"
Type = Backup
Client = ops.jokefire.com
FileSet = "Full Set"
Schedule = "WeeklyCycle"
Storage = File
Messages = Standard
Pool = "Default"
Write Bootstrap = "/var/spool/bacula/%c.bsr"
}
Job {
Name = "beta.jokefire.com"
Type = Backup
Client = beta.jokefire.com
FileSet = "Full Set"
Schedule = "WeeklyCycle"
Storage = File
Messages = Standard
Pool = "Default"
Write Bootstrap = "/var/spool/bacula/%c.bsr"
} |
# Client (File Services) to backup
Client {
Name = ops.jokefire.com
Address = ops.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = "secret" # password for FileDaemon
File Retention = 14 days # 14 days
Job Retention = 14d # 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
# Client (File Services) to backup
Client {
Name = beta.jokefire.com
Address = beta.jokefire.com
FDPort = 9102
Catalog = JokefireCatalog
Password = "secret" # password for
File Retention = 14 days # 14 days
Job Retention = 14d # 14 days
AutoPrune = yes # Prune expired Jobs/Files
TLS Certificate = /etc/pki/tls/certs/beta.jokefire.com.pem
TLS Key = /etc/pki/tls/private/beta.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
} On the remote client I have the following certs:
-r-------- 1 bacula bacula 2.2K Dec 12 01:10 /etc/pki/CA/certs/ca.crt
-r-------- 1 bacula bacula 1.3K Dec 12 19:22 /etc/pki/tls/certs/beta.jokefire.com.pem
-r-------- 1 bacula bacula 1.9K Dec 9 00:24 /etc/pki/tls/certs/ops.jokefire.com.crt
-r-------- 1 bacula bacula 497 Dec 12 19:23 /etc/pki/tls/private/beta.jokefire.com.key
-r-------- 1 bacula bacula 3.2K Dec 9 00:24 /etc/pki/tls/private/ops.jokefire.com.key
And this is my bacula-fd configuration:
#
# Default Bacula File Daemon Configuration file
#
# For Bacula release 5.2.13 (19 February 2013) -- redhat
#
# There is not much to change here except perhaps the
# File daemon Name to
#
#
# List Directors who are permitted to contact this File daemon
#
Director {
Name = ops.jokefire.com
Password = "secret"
TLS Certificate = /etc/pki/tls/certs/ops.jokefire.com.crt
TLS Key = /etc/pki/tls/private/ops.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
#
# Restricted Director, used by tray-monitor to get the
# status of the file daemon
#
Director {
Name = cloud-mon
Password = "MZ3vcYtoKOHbd7S9VJM8zxqtkwtsp72w83PlI2CQR1Me"
Monitor = yes
}
#
# "Global" File daemon configuration specifications
#
FileDaemon { # this is me
Name = beta.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/beta.jokefire.com.pem
TLS Key = /etc/pki/tls/private/beta.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
# Send all messages except skipped files back to Director
Messages {
Name = Standard
director = cloud-dir = all, !skipped, !restored
} I think we're in the home stretch here, and at the final obstacle. Any and all advice would be most welcomed here. Thanks Tim
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|