Hi Iban,
HI Tim,
> I was pretty sure that the trouble was on the CN, could you tray to
> create the cert without the email value??
> /emailAddress=bluethu...@gmail.com<http://storage.jokefire.com/emailAddress=bluethu...@gmail.com>,
> only CN=storage.jokefire.com.
>
> Have you check too that these files:
>
> /etc/pki/tls/certs/storage.
> jokefire.com.crt
> /etc/pki/tls/private/storage.jokefire.com.key
>
> belongs to bacula user ?
>
> regards, I
>
I was able to recreate the cert without the email address and ensure that
the files were owned by the bacula user:
[root@storage:~/bacula-certs-new] #ls -l
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
/etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1521 Nov 28 13:53
/etc/pki/CA/certs/rootBaculaCA.pem
-rw-r--r-- 1 bacula bacula 1224 Nov 28 13:54
/etc/pki/tls/certs/storage.jokefire.com.crt
-rw-r--r-- 1 bacula bacula 1675 Nov 28 13:54
/etc/pki/tls/private/storage.jokefire.com.key
You have mail in /var/spool/mail/root
And this is what the Subject line of the key file looks like now:
openssl x509 -in /etc/pki/tls/certs/storage.j
okefire.com.crt -noout -text
Subject: C=US, ST=XX, L=XX, O=XX, OU=XX, CN=storage.jokef
ire.com
Once again all services bounce cleanly.
However when I go into bconsole this is what I find:
[root@storage:~/bacula-certs-new] #bconsole
Connecting to Director storage.jokefire.com:9101
28-Nov 14:04 bconsole JobId 0: Error: tls.c:92 Error with certificate at
depth: 0, issuer = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com,
subject = /C=US/ST=XX/L=XX/O=XX/OU=XX/CN=storage.jokefire.com, ERR=18:self
signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
help.
Passwords have not been changed from the working configs, which have been
in place and working for several months now.
Any further thoughts?
Many thanks and I hope you are enjoying your holiday!
Tim
On Thu, Nov 28, 2013 at 6:35 AM, Iban Cabrillo <cabri...@ifca.unican.es>wrote:
> HI Tim,
> I was pretty sure that the trouble was on the CN, could you tray to
> create the cert without the email value??
> /emailAddress=bluethu...@gmail.com<http://storage.jokefire.com/emailAddress=bluethu...@gmail.com>,
> only CN=storage.jokefire.com.
>
> Have you check too that these files:
>
> /etc/pki/tls/certs/storage.jokefire.com.crt
> /etc/pki/tls/private/storage.jokefire.com.key
>
> belongs to bacula user ?
>
> regards, I
>
>
> 2013/11/28 Tim Dunphy <bluethu...@gmail.com>
>
>> Hello Iban! And thank you for your reply.
>>
>>
>>
>>> I have a similar configuration. I think that the problem is in the CN:
>>> CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
>>>
>>>
>>> please could you show the value for DirAddress = bacula.example.org
>>>
>>> in my case:
>>>
>>> DirAddress = bacula.example.org
>>>
>>> TLS Enable = yes
>>> TLS Require = yes
>>> TLS Verify Peer = no
>>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
>>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt
>>> TLS Key = /etc/bacula/certs/key/bacula.key
>>>
>>>
>> This is my director configuration from bacula-dir.conf
>>
>>
>> Director { # define myself
>> Name = storage.jokefire.com
>> DIRport = 9101 # where we listen for UA connections
>> QueryFile = "/etc/bacula/query.sql"
>> WorkingDirectory = "/var/spool/bacula"
>> PidDirectory = "/var/run"
>> Maximum Concurrent Jobs = 1
>> Password = "secret" # Console password
>> Messages = Daemon
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>> TLS Enable = yes
>> TLS Require = yes
>> TLS Verify Peer = yes
>> }
>>
>>
>> I hope I got you right in that this was what you needed to know.
>>
>>
>>> Looking at the cert:
>>>
>>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
>>>
>>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
>>> bacula.example.org
>>>
>>
>> openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text
>>
>> Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN=
>> storage.jokefire.com/emailAddress=bluethu...@gmail.com
>>
>> [root@storage:~] #hostname -f
>> storage.jokefire.com
>>
>>
>>
>>> The CN must be the sme that DirAddress (I did not use email address for
>>> cert sign)
>>>
>>>
>>
>> It appears as if the DirAddress and the common name do agree. Might there
>> be something else I could have missed?
>>
>> Thanks
>> Tim
>>
>>
>> On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo
>> <cabri...@ifca.unican.es>wrote:
>>
>>> Hi Tim,
>>> I have a similar configuration. I think that the proble is in the CN:
>>> CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
>>>
>>>
>>> please could you show the value for DirAddress = bacula.example.org
>>>
>>> in my case:
>>>
>>> DirAddress = bacula.example.org
>>>
>>> TLS Enable = yes
>>> TLS Require = yes
>>> TLS Verify Peer = no
>>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
>>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt
>>> TLS Key = /etc/bacula/certs/key/bacula.key
>>>
>>> Looking at the cert:
>>>
>>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
>>>
>>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
>>> bacula.example.org
>>>
>>> The CN must be the sme that DirAddress (I did not use email address for
>>> cert sign)
>>>
>>> Regards, I
>>>
>>>
>>> 2013/11/27 Tim Dunphy <bluethu...@gmail.com>
>>>
>>>> Hello all,
>>>>
>>>>
>>>> I'm trying to add TLS encryption to my bacula setup.
>>>>
>>>>
>>>>
>>>> I've been following this guide which got me almost all of the way
>>>> there:
>>>>
>>>>
>>>> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
>>>>
>>>>
>>>> I modified the following sections in my bacula-dir.conf file:
>>>>
>>>>
>>>> Director { # define myself
>>>>
>>>> Name = storage.jokefire.com
>>>>
>>>> DIRport = 9101 # where we listen for UA connections
>>>>
>>>> QueryFile = "/etc/bacula/query.sql"
>>>>
>>>> WorkingDirectory = "/var/spool/bacula"
>>>>
>>>> PidDirectory = "/var/run"
>>>>
>>>> Maximum Concurrent Jobs = 1
>>>>
>>>> Password = "secret" # Console password
>>>>
>>>> Messages = Daemon
>>>>
>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>>
>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>>
>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>>
>>>> TLS Enable = yes
>>>>
>>>> TLS Require = yes
>>>>
>>>> TLS Verify Peer = yes
>>>>
>>>> }
>>>>
>>>>
>>>> Client {
>>>>
>>>> Name = ops.jokefire.com
>>>>
>>>> Address = ops.jokefire.com
>>>>
>>>> FDPort = 9102
>>>>
>>>> Catalog = JokefireCatalog
>>>>
>>>> Password = "secret" # password for FileDaemon
>>>>
>>>> File Retention = 14 days # 14 days
>>>>
>>>> Job Retention = 14d # 14 days
>>>>
>>>> AutoPrune = yes # Prune expired Jobs/Files
>>>>
>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>>
>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>>
>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>>
>>>> TLS Enable = yes
>>>>
>>>> TLS Require = yes
>>>>
>>>> }
>>>>
>>>>
>>>>
>>>> And in my bacula-fd.conf
>>>>
>>>>
>>>> Director {
>>>>
>>>> Name = storage.jokefire.com
>>>>
>>>> Password = "secret"
>>>>
>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>>
>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>>
>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>>
>>>> TLS Enable = yes
>>>>
>>>> TLS Require = yes
>>>>
>>>> }
>>>>
>>>>
>>>> FileDaemon { # this is me
>>>>
>>>> Name = storage.jokefire.com
>>>>
>>>> FDport = 9102 # where we listen for the director
>>>>
>>>> WorkingDirectory = /var/bacula
>>>>
>>>> Pid Directory = /var/run
>>>>
>>>> Maximum Concurrent Jobs = 20
>>>>
>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>>
>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>>
>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>>
>>>> TLS Enable = yes
>>>>
>>>> TLS Require = yes
>>>>
>>>> }
>>>>
>>>>
>>>> In bacula-sd.conf:
>>>>
>>>>
>>>> Storage { # definition of myself
>>>>
>>>> Name = storage.jokefire.com
>>>>
>>>> SDPort = 9103 # Director's port
>>>>
>>>> WorkingDirectory = "/var/spool/bacula"
>>>>
>>>> Pid Directory = "/var/run"
>>>>
>>>> Maximum Concurrent Jobs = 20
>>>>
>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>>
>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>>
>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>>
>>>> TLS Enable = yes
>>>>
>>>> TLS Require = yes
>>>>
>>>> TLS Verify Peer = yes
>>>>
>>>> }
>>>>
>>>>
>>>> And finally in bconsole.conf:
>>>>
>>>>
>>>> Director {
>>>>
>>>> Name = storage.jokefire.com
>>>>
>>>> DIRport = 9101
>>>>
>>>> address = storage.jokefire.com
>>>>
>>>> Password = "secret"
>>>>
>>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>>
>>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>>
>>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>>
>>>> TLS Enable = yes
>>>>
>>>> TLS Require = yes
>>>>
>>>> }
>>>>
>>>>
>>>> Then I bounced the services so all seems well at this point:
>>>>
>>>>
>>>> [root@storage:/etc/bacula] #bounce-bacula
>>>>
>>>> Stopping Bacula Storage services: [ OK ]
>>>>
>>>> Starting Bacula Storage services: [ OK ]
>>>>
>>>> Stopping Bacula File services: [ OK ]
>>>>
>>>> Starting Bacula File services: [ OK ]
>>>>
>>>> Stopping Bacula Director services: [ OK ]
>>>>
>>>> Starting Bacula Director services: [ OK ]
>>>>
>>>>
>>>> (wrote a script to bounce all services because I'm lazy)
>>>>
>>>>
>>>> But when I go into bconsole I get the following (until I restore from
>>>> backup)
>>>>
>>>>
>>>> [root@storage:/etc/bacula] #bconsole
>>>>
>>>> Connecting to Director storage.jokefire.com:9101
>>>>
>>>> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate
>>>> at depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
>>>> storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
>>>> /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
>>>> storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self
>>>> signed certificate
>>>>
>>>> TLS negotiation failed
>>>>
>>>> Director authorization problem.
>>>>
>>>> Most likely the passwords do not agree.
>>>>
>>>> If you are using TLS, there may have been a certificate validation
>>>> error during the TLS handshake.
>>>>
>>>> Please see
>>>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
>>>> help.
>>>>
>>>>
>>>> I've saved my work with TLS so I'm eager to get this going. I used the
>>>> following guide to generating the certs, and I'm wondering if the problem
>>>> could possibly be in the way I generated the certs?
>>>>
>>>>
>>>>
>>>> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
>>>>
>>>>
>>>> Thanks for any and all advice!
>>>>
>>>>
>>>> Tim
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>>> organizations don't have a clear picture of how application performance
>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>> your
>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>> AppDynamics Pro!
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Bacula-users mailing list
>>>> Bacula-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>>
>>>>
>>>
>>>
>>> --
>>> ####################################
>>> Iban Cabrillo Bartolome
>>> Instituto de Fisica de Cantabria (IFCA)
>>> Santander, Spain
>>> Tel: +34942200969
>>> ####################################
>>> Bertrand Russell:
>>> *"El problema con el mundo es que los estúpidos están seguros de todo y
>>> los inteligentes están llenos de dudas*"
>>>
>>
>>
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>
>>
>
>
> --
> ####################################
> Iban Cabrillo Bartolome
> Instituto de Fisica de Cantabria (IFCA)
> Santander, Spain
> Tel: +34942200969
> ####################################
> Bertrand Russell:
> *"El problema con el mundo es que los estúpidos están seguros de todo y
> los inteligentes están llenos de dudas*"
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
