> Hey all,
Hello Tim,
> I'm adding some new servers to the backup pool now that I'm successfully
> backing
> up to S3. Now that space to keep my tapes on is less of an issue, it'll be
> nice
> to get some more hosts into the backup pool that were previously neglected.
> I added one host to the pool without any issue at all. But I keep getting
> stuck
> on the second host I'm trying to add. Bacula keeps complaining about a TLS
> issue, even tho the cert and key appears to be completely kosher.
> When I test the second new client with 'st client' this is the response I get
> from bacula:
> Select Client (File daemon) resource (1-4): 4
> Connecting to Client logs.jokefire.com at logs.jokefire.com:9102
> Failed to connect to Client logs.jokefire.com .
> I've verified that the port is open from the client to the bacula server:
> [root@ops:~] #telnet logs.jokefire.com 9102
> Trying 216.120.248.98...
> Connected to logs.jokefire.com .
> Escape character is '^]'.
> And I've been able to verify that the cert and key on the new client are ok
> using this tool:
> https://www.sslshopper.com/certificate-key-matcher.html
> Which does the checking for you and seems reliable.
> These are the ownership and permissions on the cert and key on the client
> host:
> [root@logs:~] #ls -l /etc/pki/tls/{certs,private}/logs.jokefire.com.*
> -r--------. 1 bacula bacula 1444 Jun 14 22:33
> /etc/pki/tls/certs/logs.jokefire.com.crt
> -r--------. 1 bacula bacula 1708 Jun 14 22:33
> /etc/pki/tls/private/logs.jokefire.com.key
> And this is the config file I'm using for bacula-fd on the client:
> [root@logs:~] #grep -v '#' /etc/bacula/bacula-fd.conf
> Director {
> Name = ops.jokefire.com
> Password = secret
> TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt
> TLS Key = /etc/pki/tls/private/logs.jokefire.com.key
> TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
> TLS Enable = yes
> TLS Require = yes
> }
> Name = logs.jokefire.com
> WorkingDirectory = /var/bacula
> Pid Directory = /var/run
> Maximum Concurrent Jobs = 20
> TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt
> TLS Key = /etc/pki/tls/private/logs.jokefire.com.key
> TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
> TLS Enable = yes
> TLS Require = yes
> }
> Messages {
> Name = Standard
> director = cloud-dir = all, !skipped, !restored
> }
> I basically followed these exact steps to create the key, csr and cert that
> were
> provided to my by Ana on the list some ages ago!
> Create CA key
> 1) openssl genrsa -des3 -out ca.key 4096
> Create CA cert
> 2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> Create director1 key and certificate signing request
> 3) openssl genrsa -des3 -out director1key.key 4096
> 4) openssl req -new -key director1.key -out director1.csr
> Sign the director1 certificate
> 5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key
> -set_serial 01 -out director1.crt
> Don´t know if it is necessary, but converted .crt to .pem
> 6) openssl x509 -in director1.crt -out director1.pem
> 7) openssl x509 -in ca.crt -out ca.pem
> Really important! Remove the password from the director1 private key
> 8) openssl rsa -in director1key.key -out director1.key
> These steps have always worked for me. Until now!!
Maybe openssl configuration files? It is very tricky. E.g.: you need to use a
different " nsCertType " if you are self signing your certificates.
I just use the key and cert in the same files. This is my procedure:
http://www.bacula.com.br/criptografia-das-comunicacoes-do-bacula-tls/?lang=en
Regards,
===========================================================================
Heitor Medrado de Faria - LPIC-III | ITIL-F | Bacula Systems Certified
Administrator II
I'm a Bacula/SysAdmin looking for a job in USA or Europe. Please recommend me.
Need Bacula training?
https://www.udemy.com/bacula-backup-software/?couponCode=bacula-list
+55 61 8268-4220
Site: www.bacula.com.br | FB: heitor.faria
===========================================================================
> To make matters even more confusing is that I have a really nice bacula puppet
> module that I created myself which does a nice job of getting bacula clients
> to
> work with a bacula server. It's never failed me. Until now!
> I'm wondering if there's something I missed that could get this working
> correctly.
> Thanks!
> Tim
> --
> GPG me!!
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> ------------------------------------------------------------------------------
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
