Hey all, I'm adding some new servers to the backup pool now that I'm successfully backing up to S3. Now that space to keep my tapes on is less of an issue, it'll be nice to get some more hosts into the backup pool that were previously neglected.
I added one host to the pool without any issue at all. But I keep getting stuck on the second host I'm trying to add. Bacula keeps complaining about a TLS issue, even tho the cert and key appears to be completely kosher. When I test the second new client with 'st client' this is the response I get from bacula: Select Client (File daemon) resource (1-4): 4 Connecting to Client logs.jokefire.com at logs.jokefire.com:9102 Failed to connect to Client logs.jokefire.com. I've verified that the port is open from the client to the bacula server: [root@ops:~] #telnet logs.jokefire.com 9102 Trying 216.120.248.98... Connected to logs.jokefire.com. Escape character is '^]'. And I've been able to verify that the cert and key on the new client are ok using this tool: https://www.sslshopper.com/certificate-key-matcher.html Which does the checking for you and seems reliable. These are the ownership and permissions on the cert and key on the client host: [root@logs:~] #ls -l /etc/pki/tls/{certs,private}/logs.jokefire.com.* -r--------. 1 bacula bacula 1444 Jun 14 22:33 /etc/pki/tls/certs/logs.jokefire.com.crt -r--------. 1 bacula bacula 1708 Jun 14 22:33 /etc/pki/tls/private/logs.jokefire.com.key And this is the config file I'm using for bacula-fd on the client: [root@logs:~] #grep -v '#' /etc/bacula/bacula-fd.conf Director { Name = ops.jokefire.com Password = secret TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt TLS Key = /etc/pki/tls/private/logs.jokefire.com.key TLS CA Certificate File = /etc/pki/CA/certs/ca.crt TLS Enable = yes TLS Require = yes } Name = logs.jokefire.com WorkingDirectory = /var/bacula Pid Directory = /var/run Maximum Concurrent Jobs = 20 TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt TLS Key = /etc/pki/tls/private/logs.jokefire.com.key TLS CA Certificate File = /etc/pki/CA/certs/ca.crt TLS Enable = yes TLS Require = yes } Messages { Name = Standard director = cloud-dir = all, !skipped, !restored } I basically followed these exact steps to create the key, csr and cert that were provided to my by Ana on the list some ages ago! Create CA key 1) openssl genrsa -des3 -out ca.key 4096 Create CA cert 2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Create director1 key and certificate signing request 3) openssl genrsa -des3 -out director1key.key 4096 4) openssl req -new -key director1.key -out director1.csr Sign the director1 certificate 5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt Don´t know if it is necessary, but converted .crt to .pem 6) openssl x509 -in director1.crt -out director1.pem 7) openssl x509 -in ca.crt -out ca.pem Really important! Remove the password from the director1 private key 8) openssl rsa -in director1key.key -out director1.key These steps have always worked for me. Until now!! To make matters even more confusing is that I have a really nice bacula puppet module that I created myself which does a nice job of getting bacula clients to work with a bacula server. It's never failed me. Until now! I'm wondering if there's something I missed that could get this working correctly. Thanks! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------------------------------------------------------------------------
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
