Hi Dan, Thanks for the response, pointing out ssl-admin and your blog post! I sent a follow-up email early Friday evening before I called it quits for the weekend. However, I got an automated response saying it was waiting on moderator approval due to the size of the message being 49KB (apparently 40KB is the limit). I trimmed down my original message blow in hopes that it is now small enough to be accepted.
I started over configuring TLS, this time using the instructions here: https://blog.earth-works.com/2015/08/22/configuring-bacula-to-use-tls-to-encrypt-connections-updated-version-2/ Things look a lot better now. I can connect to bconsole and I confirmed that I can connect to the test client using TLS: Connecting to Client memsql01-px-fd at memsql01-px.internal.shutterfly.com:9102 memsql01-px.internal.shutterfly.com-fd Version: 9.0.6 (20 November 2017) x86_64-pc-linux-gnu redhat (Core) Daemon started 31-Jul-20 17:26. Jobs: run=1 running=0. Heap: heap=135,168 smbytes=183,132 max_bytes=1,259,687 bufs=103 max_bufs=4,386 Sizes: boffset_t=8 size_t=8 debug=0 trace=0 mode=0,0 bwlimit=0kB/s Plugin: bpipe-fd.so Running Jobs: Director connected using TLS at: 31-Jul-20 17:44 No Jobs running. ==== Terminated Jobs: JobId Level Files Bytes Status Finished Name =================================================================== 205 Full 68,416 1.061 G OK 08-Jul-20 16:25 memsql01-px 268 Full 69,508 1.073 G OK 31-Jul-20 17:42 memsql01-px ==== However, it doesn't look like my test backup used encryption: 31-Jul 17:47 xbacdirector01-lv.internal.shutterfly.com-sd JobId 268: Elapsed time=00:02:47, Transfer rate=6.492 M Bytes/second 31-Jul 17:47 xbacdirector01-lv.internal.shutterfly.com-sd JobId 268: Sending spooled attrs to the Director. Despooling 17,433,053 bytes ... 31-Jul 17:48 xbacdirector01-lv.internal.shutterfly.com-dir JobId 268: Bacula xbacdirector01-lv.internal.shutterfly.com-dir 9.0.6 (20Nov17): Build OS: x86_64-pc-linux-gnu redhat (Core) JobId: 268 Job: memsql01-px.2020-07-31_17.45.10_03 Backup Level: Full Client: "memsql01-px-fd" 9.0.6 (20Nov17) x86_64-pc-linux-gnu,redhat,(Core) FileSet: "linux-full" 2018-02-23 23:05:00 Pool: "Daily" (From Job resource) Catalog: "MyCatalog" (From Client resource) Storage: "File1" (From Pool resource) Scheduled time: 31-Jul-2020 17:45:02 Start time: 31-Jul-2020 17:45:12 End time: 31-Jul-2020 17:48:03 Elapsed time: 2 mins 51 secs Priority: 10 FD Files Written: 69,508 SD Files Written: 69,508 FD Bytes Written: 1,073,884,163 (1.073 GB) SD Bytes Written: 1,084,178,560 (1.084 GB) Rate: 6280.0 KB/s Software Compression: 64.0% 2.8:1 Comm Line Compression: 1.1% 1.0:1 Snapshot/VSS: no Encryption: no Accurate: no Volume name(s): daily-1 Volume Session Id: 1 Volume Session Time: 1596242323 Last Volume Bytes: 1,087,379,990 (1.087 GB) Non-fatal FD errors: 0 SD Errors: 0 FD termination status: OK SD termination status: OK Termination: Backup OK This is what I have in bacula-fd.conf on the test client (memsql01-px): Director { Name = xbacdirector01-lv.internal.shutterfly.com-dir Password = "password" TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/ssl/cacert.pem TLS Certificate = /etc/ssl/memsql01-px.crt TLS Key = /etc/ssl/memsql01-px-daemon.key } FileDaemon { # this is me Name = memsql01-px.internal.shutterfly.com-fd FDport = 9102 # where we listen for the director WorkingDirectory = /opt/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 20 Plugin Directory = /usr/lib64 TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/ssl/cacert.pem TLS Certificate = /etc/ssl/memsql01-px.crt TLS Key = /etc/ssl/memsql01-px-daemon.key } Here are the relevant portions of the bacula-dir.conf file on the Director: Director { # define myself Name = xbacdirector01-lv.internal.shutterfly.com-dir DIRport = 9101 # where we listen for UA connections QueryFile = "/etc/bacula/query.sql" WorkingDirectory = "/var/bacula" PidDirectory = "/var/run" Maximum Concurrent Jobs = 20 Password = "password" # Console password Messages = Daemon TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/ssl/cacert.pem TLS Certificate = /etc/ssl/xbacdirector01-lv.crt TLS Key = /etc/ssl/xbacdirector01-lv-daemon.key TLS Verify Peer = yes # TLS Allowed CN = “xbacdirector01-lv.internal.shutterfly.com” } Storage { # definition of myself Name = xbacdirector01-lv.internal.shutterfly.com-sd SDPort = 9103 # Director's port Address = xbacdirector01-lv.internal.shutterfly.com Password = "password" Device = FileChgr1-Dev1 #Make sure this matches the bacula-sd.conf file MediaType = File1 Maximum Concurrent Jobs = 20 Autochanger = yes Allow Compression = yes TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/ssl/cacert.pem TLS Certificate = /etc/ssl/xbacdirector01-lv.crt TLS Key = /etc/ssl/xbacdirector01-lv-daemon.key } Client { Name = memsql01-px-fd Address = memsql01-px.internal.shutterfly.com FDPort = 9102 Catalog = MyCatalog Password = "password" # password for FileDaemon File Retention = 6 months # 30 days Job Retention = 1 years # six months AutoPrune = yes # Prune expired Jobs/Files TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/ssl/cacert.pem TLS Certificate = /etc/ssl/memsql01-px.crt TLS Key = /etc/ssl/memsql01-px-daemon.key } Any idea why it would not be encrypted even though I am requiring TLS? Thanks! --Shawn ________________________________ From: Dan Langille <d...@langille.org> Sent: Saturday, August 1, 2020 5:47 AM To: Dimitri Maziuk via Bacula-users <bacula-users@lists.sourceforge.net> Subject: Re: [Bacula-users] TLS issues On Fri, Jul 31, 2020, at 6:15 PM, Shawn Rappaport wrote: I'm running Bacula 9.06 (compiled from source with the --with-openssl option) on CentOS 7.5 and running into issues configuring TLS in our test environment. I am following the instructions from these two pages: https://www.labeightyfour.com/2019/06/20/configure-encrypted-connections-in-bacula/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.labeightyfour.com_2019_06_20_configure-2Dencrypted-2Dconnections-2Din-2Dbacula_&d=DwMFaQ&c=gF1t3YcGliJxvhK2Sl_RWGpK0dUxv3kAzNl4XNctI-U&r=g3YpYn4F5FXgzzN0b-CRsYlxe9AEUe9FTf00xTFMVnU&m=_RWZgR6VIJ_2GUjFR4i8oJjKcR2nVktMrM_C92APDBU&s=f1sfXSdYJCyoyvsJhfwnPv26O7TXdWFRbE6fVMdorHk&e=> https://www.labeightyfour.com/2019/12/05/certificate-extensions-in-openssl/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.labeightyfour.com_2019_12_05_certificate-2Dextensions-2Din-2Dopenssl_&d=DwMFaQ&c=gF1t3YcGliJxvhK2Sl_RWGpK0dUxv3kAzNl4XNctI-U&r=g3YpYn4F5FXgzzN0b-CRsYlxe9AEUe9FTf00xTFMVnU&m=_RWZgR6VIJ_2GUjFR4i8oJjKcR2nVktMrM_C92APDBU&s=EvXjYLks--fg3HfMjMpWU3n4nCiOSCwbRL9xAmXzQMM&e=> My test environment consists of a server running the Director and SD (xbacdirector01-lv) as well as a CentOS 7.5 Linux client and Windows Server 2019 client. At work, we just finished getting a client to work. It was a multi-week process. I'll see if I can get details on Monday. There was something extremely obscure which we had to do. TLS can be very complex to get going. I encourage you to first ensure everything works properly without TLS and then start adding in TLS. To do both at once is dealing with too many variables. I may be making errors in my observations and I hope they get pointed out. ... The following is mentioned in passing, not because I have noticed something wrong with your cert creation process, but I recommend verifying that you have client certs for clients (bacula-fd) and server certs for servers (bacula-dir, bacula-sd). There are two types of ssl certs: client, and server. You need server certs for Bacula. https://dan.langille.org/2019/11/29/ssl-client-vs-server-certificates-and-bacula-fd/<https://urldefense.proofpoint.com/v2/url?u=https-3A__dan.langille.org_2019_11_29_ssl-2Dclient-2Dvs-2Dserver-2Dcertificates-2Dand-2Dbacula-2Dfd_&d=DwMFaQ&c=gF1t3YcGliJxvhK2Sl_RWGpK0dUxv3kAzNl4XNctI-U&r=g3YpYn4F5FXgzzN0b-CRsYlxe9AEUe9FTf00xTFMVnU&m=_RWZgR6VIJ_2GUjFR4i8oJjKcR2nVktMrM_C92APDBU&s=M_A5KQNpN48WNba5oPBm-djTQMrSpCqLOw6DoVCRqio&e=> I use and recommend ssl-admin
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
