Hey Ana / all,
Forgot to hit reply-all. Whoops! Adding the list to the correspondence. :)
Have you confirmed that your "WorkingDirectory = /var/bacula" exists?
OK thanks. That got the bacula client started on web1 :)
I've been able to verify it's started there:
[root@web1:~/certs] #lsof -i :9102
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bacula-fd 5403 root 3u IPv4 2922313 0t0 TCP *:bacula-fd (LISTEN)
However a couple things still need to be worked out I think. For one, the
bacula client isn't logging anything to it's log directory:
[root@web1:~/certs] #ls -l /var/log/bacula/
total 0
I did try creating the log manually and chowning it to the bacula user:
[root@web1:~/certs] #ls -l /var/log/bacula/bacula.log
-rw-r--r-- 1 bacula bacula 0 Mar 1 22:28 /var/log/bacula/bacula.log
However that didn't seem to make any difference, and I don't see the log
filling up with anything.
And going back to the bacula server, it looks like the client still can't
be contacted:
*st client
The defined Client resources are:
1: ops.jokefire.com
2: web1.jokefire.com
Select Client (File daemon) resource (1-2): 2
Connecting to Client web1.jokefire.com at web1.jokefire.com:9102
Failed to connect to Client web1.jokefire.com.
====
Even tho I can hit the correct port on the client from the server,
verifying that it's open:
[root@ops:~] #telnet web1.jokefire.com 9102
Trying 162.243.60.6...
Connected to web1.jokefire.com (162.243.60.6).
Escape character is '^]'.
Checking messages on the server I see this error repeatedly:
*messages
01-Mar 23:15 ops.jokefire.com JobId 0: Error: openssl.c:74 Connect failure:
ERR=error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
01-Mar 23:15 ops.jokefire.com JobId 0: Fatal error: TLS negotiation failed
with FD at "web1.jokefire.com:9102".
This is the process I used to create the cert on the client:
1) copied over ca.key from the bacula server to the client
Create web1.jokefire.com key and certificate signing request
2) openssl genrsa -des3 -out web1.jokefire.com.key 4096
3) openssl req -new -key web1.jokefire.com.key -out web1.jokefire.com.csr
Sign the web1.jokefire.com certificate
4) openssl x509 -req -days 3650 -in web1.jokefire.com.csr -CA ca.crt -CAkey
ca.key -set_serial 01 -out web1.jokefire.com.crt
Really important! Remove the password from the web1.jokefire.com private key
5) openssl rsa -in web1.jokefire.com.key -out web1.jokefire.com.key
~
And I was able to verify the ca.key .. it looks ok to me:
[root@web1:~/certs] #openssl x509 -in /etc/pki/CA/certs/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9373003421479956496 (0x821398f397d57010)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=
ops.jokefire.com CA
Validity
Not Before: Dec 6 01:57:10 2013 GMT
Not After : Dec 4 01:57:10 2023 GMT
Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=
ops.jokefire.com CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:cf:33:ad:4b:60:c4:a0:23:ae:4e:a7:39:6b:b2:
d8:e0:39:b7:3f:9f:91:7d:be:5a:a3:77:16:b4:cc:
3a:ad:a2:4c:5c:be:6f:19:c7:fb:9f:7f:ae:0d:cd:
6d:df:59:cf:2f:8a:7c:fe:32:82:56:06:94:43:19:
91:4d:e3:62:10:bf:8a:08:8b:99:96:12:70:da:5c:
dc:25:90:17:69:8b:c4:98:30:54:7a:96:fe:49:04:
62:45:f2:ed:5c:c3:b8:c6:6f:0c:4a:46:e5:e9:96:
8b:37:49:55:54:0c:1b:e0:48:06:f2:1e:45:3b:70:
cc:f7:2b:3c:14:85:e1:e9:fe:9e:e6:52:c7:d9:d6:
cb:b9:44:94:49:2e:bd:a1:43:c3:38:ac:c9:9a:bf:
98:ec:db:8c:5b:9d:ea:b0:84:b1:c0:47:2f:b5:63:
8f:26:0d:c7:24:f3:bf:98:65:97:44:6a:d6:83:90:
24:ca:4c:34:95:50:72:58:61:1b:a3:47:0b:54:fc:
6f:e2:68:02:83:d9:6a:6a:fd:48:6c:ce:be:14:06:
40:67:a5:53:f3:a0:d1:25:2f:77:9b:c9:79:63:ff:
d3:b7:4e:f5:55:7a:f6:14:84:ae:32:1e:9b:3e:bf:
37:97:4d:f0:bb:62:10:04:9f:10:83:c7:91:2c:f8:
0e:8d:60:78:28:69:49:03:80:11:a6:80:af:4a:c5:
7a:18:5b:d5:44:71:5a:65:2d:21:b5:0a:12:d6:a9:
b0:4c:37:d8:9a:28:d1:d3:30:a3:90:9c:28:e6:c3:
fd:ee:52:a8:84:c1:0f:c1:a6:c9:3f:61:f5:3f:a2:
98:ae:26:2f:34:d3:d8:44:ff:73:cf:7b:2a:48:0c:
2a:04:8e:29:8d:4b:23:99:61:47:b6:bb:ae:d2:92:
42:78:07:ec:8c:83:7f:d8:18:4a:0e:8c:ca:b0:41:
63:63:8d:a0:8c:82:46:7c:68:94:44:16:d4:23:e9:
02:e9:53:1b:47:91:be:65:60:24:63:14:5a:71:4a:
3e:0d:c9:43:5a:8c:17:c7:4a:bb:ea:c2:75:34:53:
d5:55:d9:69:18:aa:a9:49:8b:5e:e4:21:20:e3:70:
a6:2f:8a:10:d1:35:14:89:b7:18:4c:41:99:46:03:
c2:0f:bc:4f:d6:72:88:67:37:16:87:9b:42:17:87:
8c:52:e3:25:dd:23:32:dd:8f:b9:0a:0c:43:af:76:
b6:21:e4:a0:8d:24:6b:a0:5e:34:04:c2:a3:df:02:
0f:48:55:a0:a7:45:db:91:7a:b8:36:c7:29:a3:2f:
de:c8:98:da:37:28:f4:82:48:91:11:e0:be:14:59:
6c:44:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CB:7E:8F:08:AE:1B:85:41:3B:AD:C5:65:AA:AA:75:9D:21:C0:4E:F2
X509v3 Authority Key Identifier:
keyid:CB:7E:8F:08:AE:1B:85:41:3B:AD:C5:65:AA:AA:75:9D:21:C0:4E:F2
DirName:/C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
ops.jokefire.com CA
serial:82:13:98:F3:97:D5:70:10
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
67:48:08:af:8c:c3:15:95:27:91:a0:5a:c8:45:76:0a:d9:c5:
85:32:eb:53:39:76:3c:4d:38:19:56:2c:0c:4b:e1:02:11:f1:
ad:98:7f:ab:41:5b:30:10:77:1f:f9:15:84:88:11:45:13:d6:
54:b5:a5:e2:e3:a8:f7:2a:a9:38:57:4d:e4:e8:4b:89:73:81:
2c:fe:15:0a:2a:5e:5e:53:20:79:d4:4f:84:74:ef:e2:1e:30:
a7:6d:e6:44:9f:cc:a7:9d:d6:a0:0d:6c:4a:53:53:55:17:c0:
c4:f6:34:d5:c6:33:f4:79:30:b9:45:0c:2c:af:72:56:2e:98:
fc:7c:2a:b3:bc:9a:be:7d:af:de:a5:49:9b:73:c5:bb:2a:53:
c5:b4:5a:08:98:a4:01:41:3a:d8:47:9a:f7:8f:7c:ad:64:ad:
65:1b:05:19:9c:a5:9e:49:f3:56:b2:d4:17:ac:e1:3c:a9:95:
d4:04:6c:e8:f8:b7:2b:b0:5b:a4:e9:c6:1f:83:97:8c:27:34:
7d:23:3e:fa:ff:9b:77:81:48:5f:14:95:b8:c5:79:77:96:0d:
2c:ab:c7:67:59:f9:fc:ad:d7:97:f3:38:0e:1b:01:18:9f:7e:
c9:d7:f5:27:2c:95:a8:d2:8b:c2:87:86:dc:b7:bd:b5:08:ba:
5e:a0:12:c9:9c:b7:2f:a9:23:45:d8:39:ca:72:a9:34:06:59:
23:08:09:b4:ec:4c:68:78:24:ea:97:fa:44:37:d9:a9:b6:9c:
b7:44:21:0d:7a:0a:4b:d7:f0:90:3b:f5:f0:64:84:27:1d:f9:
85:28:2e:a5:c0:06:33:db:93:39:b3:bd:c1:90:bb:aa:79:bd:
51:26:5e:63:41:d4:aa:b8:22:0d:ed:04:ff:9e:65:40:8c:98:
d5:1d:88:35:81:5e:7a:9a:f6:df:08:c9:dd:12:0a:4d:af:94:
9b:7a:fe:49:00:6a:98:ce:e3:5f:50:56:77:4e:33:a8:2c:7c:
59:76:74:60:12:a2:db:ef:cf:be:41:8f:27:67:74:e5:5b:d0:
02:5c:a3:9c:5f:59:dd:ef:95:38:5e:2d:b5:2f:ca:06:b6:b4:
49:8e:bc:be:65:08:07:39:5d:3b:f6:11:9e:50:ce:c5:38:c8:
c6:ae:63:b6:48:28:52:8c:46:7a:34:8c:40:8a:41:35:d9:44:
0b:ba:3c:6e:03:22:68:4a:1a:08:95:40:90:f2:a2:c8:70:99:
a2:5c:28:38:5b:51:45:db:5f:a3:ec:ae:9e:7e:62:87:6e:2e:
53:c0:9a:de:c7:9c:a3:f1:11:f2:82:a1:9d:67:1f:ba:7d:ed:
47:19:ec:ce:1a:a5:82:88
I was hoping someone might have some other thoughts on how to get this
working.
Thanks!
Tim
On Sun, Mar 1, 2015 at 8:50 PM, Ana Emília M. Arruda <emiliaarr...@gmail.com
> wrote:
> Hi Tim!
>
> Have you confirmed that your "WorkingDirectory = /var/bacula" exists?
>
> Best regards,
> Ana
>
> On Sun, Mar 1, 2015 at 10:04 PM, Tim Dunphy <bluethu...@gmail.com> wrote:
>
>> Hey guys,
>>
>> OK I was able to get bacula-client version 7 installed on a CentOS 7
>> machine.
>>
>> [root@web1:~/certs] #rpm -qa | grep bacula
>> bacula-libs-7.0.5-1.el7.x86_64
>> bacula-common-7.0.5-1.el7.x86_64
>> bacula-client-7.0.5-1.el7.x86_64
>>
>> But the service fails to start:
>>
>> [root@web1:~/certs] #service bacula-fd status -l
>> Redirecting to /bin/systemctl status -l bacula-fd.service
>> bacula-fd.service - Bacula-FileDaemon, a Backup-client
>> Loaded: loaded (/usr/lib/systemd/system/bacula-fd.service; disabled)
>> Active: failed (Result: start-limit) since Sun 2015-03-01 19:59:57
>> EST; 2min 11s ago
>> Docs: man:bacula-fd(8)
>> Process: 28324 ExecStart=/usr/sbin/bacula-fd -f $OPTS -c $CONFIG -u
>> $FD_USER -g $FD_GROUP (code=exited, status=1/FAILURE)
>> Main PID: 28324 (code=exited, status=1/FAILURE)
>>
>> Mar 01 19:59:57 web1 systemd[1]: bacula-fd.service: main process exited,
>> code=exited, status=1/FAILURE
>> Mar 01 19:59:57 web1 systemd[1]: Unit bacula-fd.service entered failed
>> state.
>> Mar 01 19:59:57 web1 systemd[1]: bacula-fd.service holdoff time over,
>> scheduling restart.
>> Mar 01 19:59:57 web1 systemd[1]: Stopping Bacula-FileDaemon, a
>> Backup-client...
>> Mar 01 19:59:57 web1 systemd[1]: Starting Bacula-FileDaemon, a
>> Backup-client...
>> Mar 01 19:59:57 web1 systemd[1]: bacula-fd.service start request repeated
>> too quickly, refusing to start.
>> Mar 01 19:59:57 web1 systemd[1]: Failed to start Bacula-FileDaemon, a
>> Backup-client.
>> Mar 01 19:59:57 web1 systemd[1]: Unit bacula-fd.service entered failed
>> state.
>>
>>
>> Here's my bacula-fd config:
>>
>> [root@web1:~/certs] #cat /etc/bacula/bacula-fd.conf
>> #
>> # Default Bacula File Daemon Configuration file
>> #
>> # For Bacula release 5.2.13 (19 February 2013) -- redhat
>> #
>> # There is not much to change here except perhaps the
>> # File daemon Name to
>> #
>>
>> #
>> # List Directors who are permitted to contact this File daemon
>> #
>> Director {
>> Name = ops.jokefire.com
>> Password = Duk30fZh0u
>> TLS Certificate = /etc/pki/tls/certs/web1.jokefire.com.crt
>> TLS Key = /etc/pki/tls/private/web1.jokefire.com.key
>> TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
>> TLS Enable = yes
>> TLS Require = yes
>> }
>>
>> #
>> # "Global" File daemon configuration specifications
>> #
>> FileDaemon { # this is me
>> Name = web1.jokefire.com
>> FDport = 9102 # where we listen for the director
>> WorkingDirectory = /var/bacula
>> Pid Directory = /var/run
>> Maximum Concurrent Jobs = 20
>> TLS Certificate = /etc/pki/tls/certs/web1.jokefire.com.crt
>> TLS Key = /etc/pki/tls/private/web1.jokefire.com.key
>> TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
>> TLS Enable = yes
>> TLS Require = yes
>> }
>>
>> # Send all messages except skipped files back to Director
>> Messages {
>> Name = Standard
>> director = cloud-dir = all, !skipped, !restored
>> }
>>
>> And here are my certs and how they're permissioned:
>>
>> -r-------- 1 root root 2212 Feb 13 18:24 /etc/pki/CA/certs/ca.crt
>> -r-------- 1 bacula bacula 1428 Mar 1 19:58
>> /etc/pki/tls/certs/web1.jokefire.com.crt
>> -r-------- 1 bacula bacula 891 Mar 1 19:58
>> /etc/pki/tls/private/web1.jokefire.com.key
>>
>> I'd appreciate any advice you guys can give on how to troubleshoot this.
>> I am not at all familiar with CentOS 7 just yet. It seems they do things a
>> little differently on this latest version of the OS.
>>
>> Thanks
>> Tim
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub
>> for all
>> things parallel software development, from weekly thought leadership
>> blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Bacula-users mailing list
>> Bacula-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
