Hi Ana, Have you configured TLS for this client at bacula-dir.conf?
That was it!! Somehow I missed configuring TLS for this client in bacula-dir.conf. It's working now. Thank you!! Cheers, Tim On Mon, Jun 15, 2015 at 8:36 PM, Ana Emília M. Arruda < emiliaarr...@gmail.com> wrote: > Hi Tim, > > Have you configured TLS for this client at bacula-dir.conf? > > Best regards, > Ana > > On Mon, Jun 15, 2015 at 10:47 AM, Heitor Faria <hei...@bacula.com.br> > wrote: > >> Hey all, >> >> Hello Tim, >> >> >> I'm adding some new servers to the backup pool now that I'm successfully >> backing up to S3. Now that space to keep my tapes on is less of an issue, >> it'll be nice to get some more hosts into the backup pool that were >> previously neglected. >> >> I added one host to the pool without any issue at all. But I keep getting >> stuck on the second host I'm trying to add. Bacula keeps complaining about >> a TLS issue, even tho the cert and key appears to be completely kosher. >> >> When I test the second new client with 'st client' this is the response I >> get from bacula: >> >> Select Client (File daemon) resource (1-4): 4 >> Connecting to Client logs.jokefire.com at logs.jokefire.com:9102 >> Failed to connect to Client logs.jokefire.com. >> >> I've verified that the port is open from the client to the bacula server: >> >> [root@ops:~] #telnet logs.jokefire.com 9102 >> Trying 216.120.248.98... >> Connected to logs.jokefire.com. >> Escape character is '^]'. >> >> And I've been able to verify that the cert and key on the new client are >> ok using this tool: >> >> https://www.sslshopper.com/certificate-key-matcher.html >> >> Which does the checking for you and seems reliable. >> >> These are the ownership and permissions on the cert and key on the client >> host: >> >> [root@logs:~] #ls -l /etc/pki/tls/{certs,private}/logs.jokefire.com.* >> -r--------. 1 bacula bacula 1444 Jun 14 22:33 >> /etc/pki/tls/certs/logs.jokefire.com.crt >> -r--------. 1 bacula bacula 1708 Jun 14 22:33 >> /etc/pki/tls/private/logs.jokefire.com.key >> >> And this is the config file I'm using for bacula-fd on the client: >> >> [root@logs:~] #grep -v '#' /etc/bacula/bacula-fd.conf >> >> Director { >> Name = ops.jokefire.com >> Password = secret >> TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt >> TLS Key = /etc/pki/tls/private/logs.jokefire.com.key >> TLS CA Certificate File = /etc/pki/CA/certs/ca.crt >> TLS Enable = yes >> TLS Require = yes >> } >> >> Name = logs.jokefire.com >> WorkingDirectory = /var/bacula >> Pid Directory = /var/run >> Maximum Concurrent Jobs = 20 >> TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt >> TLS Key = /etc/pki/tls/private/logs.jokefire.com.key >> TLS CA Certificate File = /etc/pki/CA/certs/ca.crt >> TLS Enable = yes >> TLS Require = yes >> } >> >> Messages { >> Name = Standard >> director = cloud-dir = all, !skipped, !restored >> } >> >> >> I basically followed these exact steps to create the key, csr and cert >> that were provided to my by Ana on the list some ages ago! >> >> Create CA key >> 1) openssl genrsa -des3 -out ca.key 4096 >> >> Create CA cert >> 2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt >> >> Create director1 key and certificate signing request >> 3) openssl genrsa -des3 -out director1key.key 4096 >> 4) openssl req -new -key director1.key -out director1.csr >> >> Sign the director1 certificate >> 5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey >> ca.key -set_serial 01 -out director1.crt >> >> Don´t know if it is necessary, but converted .crt to .pem >> 6) openssl x509 -in director1.crt -out director1.pem >> 7) openssl x509 -in ca.crt -out ca.pem >> >> Really important! Remove the password from the director1 private key >> 8) openssl rsa -in director1key.key -out director1.key >> >> These steps have always worked for me. Until now!! >> >> Maybe openssl configuration files? It is very tricky. E.g.: you need to >> use a different "nsCertType" if you are self signing your certificates. >> I just use the key and cert in the same files. This is my procedure: >> http://www.bacula.com.br/criptografia-das-comunicacoes-do-bacula-tls/?lang=en >> >> Regards, >> >> =========================================================================== >> Heitor Medrado de Faria - LPIC-III | ITIL-F | Bacula Systems Certified >> Administrator II >> I'm a Bacula/SysAdmin looking for a job in USA or Europe. Please >> recommend me. >> Need Bacula training? >> https://www.udemy.com/bacula-backup-software/?couponCode=bacula-list >> +55 61 <%2B55%2061%202021-8260>8268-4220 <%2B55%2061%208268-4220> >> Site: www.bacula.com.br | FB: heitor.faria >> <http://www.facebook.com/heitor.faria> >> >> =========================================================================== >> >> >> To make matters even more confusing is that I have a really nice bacula >> puppet module that I created myself which does a nice job of getting bacula >> clients to work with a bacula server. It's never failed me. Until now! >> >> I'm wondering if there's something I missed that could get this working >> correctly. >> >> Thanks! >> Tim >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Bacula-users mailing list >> Bacula-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bacula-users >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Bacula-users mailing list >> Bacula-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bacula-users >> >> > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------------------------------------------------------------------------
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
