I'm adding some new servers to the backup pool now that I'm successfully backing up to S3. Now that space to keep my tapes on is less of an issue, it'll be nice to get some more hosts into the backup pool that were previously neglected.
I added one host to the pool without any issue at all. But I keep getting stuck on the second host I'm trying to add. Bacula keeps complaining about a TLS issue, even tho the cert and key appears to be completely kosher.
When I test the second new client with 'st client' this is the response I get from bacula:
Select Client (File daemon) resource (1-4): 4
I've verified that the port is open from the client to the bacula server:
Trying 216.120.248.98...
Escape character is '^]'.
And I've been able to verify that the cert and key on the new client are ok using this tool:
Which does the checking for you and seems reliable.
These are the ownership and permissions on the cert and key on the client host:
[root@logs:~] #ls -l /etc/pki/tls/{certs,private}/logs.jokefire.com.*
-r--------. 1 bacula bacula 1444 Jun 14 22:33 /etc/pki/tls/certs/logs.jokefire.com.crt
-r--------. 1 bacula bacula 1708 Jun 14 22:33 /etc/pki/tls/private/logs.jokefire.com.key
And this is the config file I'm using for bacula-fd on the client:
[root@logs:~] #grep -v '#' /etc/bacula/bacula-fd.conf
Director {
Password = secret
TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt
TLS Key = /etc/pki/tls/private/logs.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt
TLS Key = /etc/pki/tls/private/logs.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}
Messages {
Name = Standard
director = cloud-dir = all, !skipped, !restored
}
I basically followed these exact steps to create the key, csr and cert that were provided to my by Ana on the list some ages ago!
Create CA key
1) openssl genrsa -des3 -out ca.key 4096
Create CA cert
2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Create director1 key and certificate signing request
3) openssl genrsa -des3 -out director1key.key 4096
4) openssl req -new -key director1.key -out director1.csr
Sign the director1 certificate
5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt
Don´t know if it is necessary, but converted .crt to .pem
6) openssl x509 -in director1.crt -out director1.pem
7) openssl x509 -in ca.crt -out ca.pem
Really important! Remove the password from the director1 private key
8) openssl rsa -in director1key.key -out director1.key
These steps have always worked for me. Until now!!