Hey all,

 I'm adding some new servers to the backup pool now that I'm successfully backing up to S3. Now that space to keep my tapes on is less of an issue, it'll be nice to get some more hosts into the backup pool that were previously neglected. 

I added one host to the pool without any issue at all. But I keep getting stuck on the second host I'm trying to add. Bacula keeps complaining about a TLS issue, even tho the cert and key appears to be completely kosher. 

When I test the second new client with 'st client' this is the response I get from bacula:

Select Client (File daemon) resource (1-4): 4

Connecting to Client logs.jokefire.com at logs.jokefire.com:9102

Failed to connect to Client logs.jokefire.com.

I've verified that the port is open from the client to the bacula server:

[root@ops:~] #telnet logs.jokefire.com 9102

Trying 216.120.248.98...

Connected to logs.jokefire.com.

Escape character is '^]'.

And I've been able to verify that the cert and key on the new client are ok using this tool:

https://www.sslshopper.com/certificate-key-matcher.html

Which does the checking for you and seems reliable. 

These are the ownership and permissions on the cert and key on the client host:

[root@logs:~] #ls -l /etc/pki/tls/{certs,private}/logs.jokefire.com.*

-r--------. 1 bacula bacula 1444 Jun 14 22:33 /etc/pki/tls/certs/logs.jokefire.com.crt

-r--------. 1 bacula bacula 1708 Jun 14 22:33 /etc/pki/tls/private/logs.jokefire.com.key

And this is the config file I'm using for bacula-fd on the client:

[root@logs:~] #grep -v '#' /etc/bacula/bacula-fd.conf

Director {

  Name = ops.jokefire.com

  Password = secret

  TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/logs.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt

  TLS Enable = yes

  TLS Require = yes

}

  Name = logs.jokefire.com

  WorkingDirectory = /var/bacula

  Pid Directory = /var/run

  Maximum Concurrent Jobs = 20

  TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt

  TLS Key = /etc/pki/tls/private/logs.jokefire.com.key

  TLS CA Certificate File = /etc/pki/CA/certs/ca.crt

  TLS Enable = yes

  TLS Require = yes

}

Messages {

  Name = Standard

  director = cloud-dir = all, !skipped, !restored

}

I basically followed these exact steps to create the key, csr and cert that were provided to my by Ana on the list some ages ago!

 Create CA key

1) openssl genrsa -des3 -out ca.key 4096

Create CA cert

2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create director1 key and certificate signing request

3) openssl genrsa -des3 -out director1key.key 4096

4) openssl req -new -key director1.key -out director1.csr

Sign the director1 certificate

5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt

Don´t know if it is necessary, but converted .crt to .pem

6) openssl x509 -in director1.crt -out director1.pem

7) openssl x509 -in ca.crt -out ca.pem

Really important! Remove the password from the director1 private key

8) openssl rsa -in director1key.key -out director1.key

These steps have always worked for me. Until now!!

To make matters even more confusing is that I have a really nice bacula puppet module that I created myself which does a nice job of getting bacula clients to work with a bacula server. It's never failed me. Until now!

I'm wondering if there's something I missed that could get this working correctly.

Thanks!

Tim

--

GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users