Hi Tim, Have you configured TLS for this client at bacula-dir.conf?
Best regards, Ana On Mon, Jun 15, 2015 at 10:47 AM, Heitor Faria <hei...@bacula.com.br> wrote: > Hey all, > > Hello Tim, > > > I'm adding some new servers to the backup pool now that I'm successfully > backing up to S3. Now that space to keep my tapes on is less of an issue, > it'll be nice to get some more hosts into the backup pool that were > previously neglected. > > I added one host to the pool without any issue at all. But I keep getting > stuck on the second host I'm trying to add. Bacula keeps complaining about > a TLS issue, even tho the cert and key appears to be completely kosher. > > When I test the second new client with 'st client' this is the response I > get from bacula: > > Select Client (File daemon) resource (1-4): 4 > Connecting to Client logs.jokefire.com at logs.jokefire.com:9102 > Failed to connect to Client logs.jokefire.com. > > I've verified that the port is open from the client to the bacula server: > > [root@ops:~] #telnet logs.jokefire.com 9102 > Trying 216.120.248.98... > Connected to logs.jokefire.com. > Escape character is '^]'. > > And I've been able to verify that the cert and key on the new client are > ok using this tool: > > https://www.sslshopper.com/certificate-key-matcher.html > > Which does the checking for you and seems reliable. > > These are the ownership and permissions on the cert and key on the client > host: > > [root@logs:~] #ls -l /etc/pki/tls/{certs,private}/logs.jokefire.com.* > -r--------. 1 bacula bacula 1444 Jun 14 22:33 > /etc/pki/tls/certs/logs.jokefire.com.crt > -r--------. 1 bacula bacula 1708 Jun 14 22:33 > /etc/pki/tls/private/logs.jokefire.com.key > > And this is the config file I'm using for bacula-fd on the client: > > [root@logs:~] #grep -v '#' /etc/bacula/bacula-fd.conf > > Director { > Name = ops.jokefire.com > Password = secret > TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt > TLS Key = /etc/pki/tls/private/logs.jokefire.com.key > TLS CA Certificate File = /etc/pki/CA/certs/ca.crt > TLS Enable = yes > TLS Require = yes > } > > Name = logs.jokefire.com > WorkingDirectory = /var/bacula > Pid Directory = /var/run > Maximum Concurrent Jobs = 20 > TLS Certificate = /etc/pki/tls/certs/logs.jokefire.com.crt > TLS Key = /etc/pki/tls/private/logs.jokefire.com.key > TLS CA Certificate File = /etc/pki/CA/certs/ca.crt > TLS Enable = yes > TLS Require = yes > } > > Messages { > Name = Standard > director = cloud-dir = all, !skipped, !restored > } > > > I basically followed these exact steps to create the key, csr and cert > that were provided to my by Ana on the list some ages ago! > > Create CA key > 1) openssl genrsa -des3 -out ca.key 4096 > > Create CA cert > 2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > > Create director1 key and certificate signing request > 3) openssl genrsa -des3 -out director1key.key 4096 > 4) openssl req -new -key director1.key -out director1.csr > > Sign the director1 certificate > 5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key > -set_serial 01 -out director1.crt > > Don´t know if it is necessary, but converted .crt to .pem > 6) openssl x509 -in director1.crt -out director1.pem > 7) openssl x509 -in ca.crt -out ca.pem > > Really important! Remove the password from the director1 private key > 8) openssl rsa -in director1key.key -out director1.key > > These steps have always worked for me. Until now!! > > Maybe openssl configuration files? It is very tricky. E.g.: you need to > use a different "nsCertType" if you are self signing your certificates. > I just use the key and cert in the same files. This is my procedure: > http://www.bacula.com.br/criptografia-das-comunicacoes-do-bacula-tls/?lang=en > > Regards, > =========================================================================== > Heitor Medrado de Faria - LPIC-III | ITIL-F | Bacula Systems Certified > Administrator II > I'm a Bacula/SysAdmin looking for a job in USA or Europe. Please recommend > me. > Need Bacula training? > https://www.udemy.com/bacula-backup-software/?couponCode=bacula-list > +55 61 <%2B55%2061%202021-8260>8268-4220 <%2B55%2061%208268-4220> > Site: www.bacula.com.br | FB: heitor.faria > <http://www.facebook.com/heitor.faria> > =========================================================================== > > > To make matters even more confusing is that I have a really nice bacula > puppet module that I created myself which does a nice job of getting bacula > clients to work with a bacula server. It's never failed me. Until now! > > I'm wondering if there's something I missed that could get this working > correctly. > > Thanks! > Tim > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users > >
------------------------------------------------------------------------------
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
