On 23 Aug 2007 at 6:06, Nikolaj Karpov wrote:
> Dan Langille wrote:
> >
> > On 23 Aug 2007 at 0:30, Nikolaj Karpov wrote:
> >
> >>
> >> Hi everyone!
> >>
> >> Running bacula 1.38.11 and experiencing problems with ssl connection. All
> >> certs are issued by Self-Signed CA.
> >>
> >> Here's configs:
> >>
> >> bacula-dir:
> >>
> >> Storage {
> >> Name = File
> >> Address = backup.test.com # N.B. Use a fully qualified name
> >> here
> >> SDPort = 9103
> >> Password = "123"
> >> Device = FileStorage
> >> Media Type = File
> >> TLS Enable = yes
> >> TLS Require = yes
> >> TLS CA Certificate File = /opt/bacula/etc/ca.pem
> >> # This is a client certificate, used by the director to
> >> # connect to the storage daemon
> >> TLS Certificate = /opt/bacula/etc/crt.pem
> >> TLS Key = /opt/bacula/etc/key.pem
> >> }
> >>
> >> bacula-sd:
> >>
> >> Storage { # definition of myself
> >> Name = backup.test.com
> >> SDPort = 9103 # Director's port
> >> WorkingDirectory = "/opt/bacula/var/bacula/working"
> >> Pid Directory = "/var/run"
> >> Maximum Concurrent Jobs = 20
> >> TLS Enable = yes
> >> TLS Require = yes
> >> # Peer certificate is not required/requested -- peer validity
> >> # is verified by the storage connection cookie provided to the
> >> # File Daemon by the director.
> >> TLS Verify Peer = no
> >> TLS CA Certificate File = /opt/bacula/etc/ca.pem
> >> # This is a server certificate. It is used by connecting
> >> # file daemons to verify the authenticity of this storage daemon
> >> TLS Certificate = /opt/bacula/etc/crt.pem
> >> TLS Key = /opt/bacula/etc/key.pem
> >> }
> >>
> >> Director {
> >> Name = backup-dir
> >> Password = "123"
> >> TLS Enable = yes
> >> TLS Require = yes
> >> # Require the connecting director to provide a certificate
> >> # with the matching CN.
> >> TLS Verify Peer = no
> >> #TLS Allowed CN = "[EMAIL PROTECTED]"
> >> TLS CA Certificate File = /opt/bacula/etc/ca.pem
> >> # This is a server certificate. It is used by the connecting
> >> # director to verify the authenticity of this storage daemon
> >> TLS Certificate = /opt/bacula/etc/crt.pem
> >> TLS Key = /opt/bacula/etc/key.pem
> >> }
> >>
> >>
> >> bacula-fd:
> >>
> >> Director {
> >> Name = backup-dir
> >> Password = "123"
> >> TLS Enable = yes
> >> TLS Require = yes
> >> TLS Verify Peer = no
> >> # Allow only the Director to connect
> >> #TLS Allowed CN = "[EMAIL PROTECTED]"
> >> TLS CA Certificate File = /opt/bacula/etc/ca.pem
> >> # This is a server certificate. It is used by connecting
> >> # directors to verify the authenticity of this file daemon
> >> TLS Certificate = /opt/bacula/etc/crt.pem
> >> TLS Key = /opt/bacula/etc/key.pem
> >> }
> >>
> >>
> >> And here's output:
> >>
> >> 22-Aug 14:29 backup-dir: Start Backup JobId 30,
> >> Job=nikolaj.2007-08-22_14.29.17
> >> 22-Aug 14:29 nikolaj-fd: DIR and FD clocks differ by 24 seconds, FD
> >> automatically adjusting.
> >
> > nikolaj-fd? I see no mention of nikolaj-fd in the above
> > configuration.
If you answer inline, instead of only at the top, it makes it easier
for your helpers to follow what is happening. :)
Also, be sure to read the entire reply. You missed a couple of
questions, see below.
>
> Thanks fot the answer.
>
> I've forgoten to include client part of bacula-dir.
>
> Client {
> Name = nikolaj-fd
> Address = nikolaj.test.com
> FDPort = 9102
> Catalog = MyCatalog
> Maximum Concurrent Jobs = 10
> Password = "123"
> File Retention = 300d
> Job Retention = 180d
> AutoPrune = yes
> TLS Enable = yes
> TLS Require = yes
> TLS CA Certificate File = /opt/bacula/etc/ca.pem
> }
>
>
>
> >
> >> 22-Aug 14:29 nikolaj-fd: nikolaj.2007-08-22_14.29.17 Fatal error:
> >> Authorization problem: Remote server requires TLS.
> >> 22-Aug 14:29 nikolaj-fd: nikolaj.2007-08-22_14.29.17 Fatal error: Failed
> >> to
> >> authenticate Storage daemon.
> >> 22-Aug 14:29 backup-dir: nikolaj.2007-08-22_14.29.17 Fatal error: Socket
> >> error on Storage command: ERR=No data available
> >> 22-Aug 14:29 backup.test.com: nikolaj.2007-08-22_14.29.17 Fatal error:
> >> Authorization problem: Remote server did not advertise required TLS
> >> support.
> >> 22-Aug 14:29 backup.test.com: nikolaj.2007-08-22_14.29.17 Fatal error:
> >> Incorrect authorization key from File daemon at client rejected.
> >> Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors
> >> for
> >> help.
> >> 22-Aug 14:29 backup.test.com: nikolaj.2007-08-22_14.29.17 Fatal error:
> >> Unable to authenticate File daemon
> >> 22-Aug 14:29 backup-dir: nikolaj.2007-08-22_14.29.17 Error: Bacula
> >> 1.38.11
> >> (28Jun06): 22-Aug-2007 14:29:21
> >
> >>From bconsole, does status client work? Does status storage?
These two questions are pretty important. I didn't notice an answer.
> >
> > http://www.freebsddiary.org/bacula-tls.php might help.
If you compare the above configuration with yours, you might find
something obvious.
--
Dan Langille - http://www.langille.org/
Available for hire: http://www.freebsddiary.org/dan_langille.php
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
