OK Bacula Pros: So I looked into the link provided about openssl and discovered that I had reversed the order in my .pem file, putting the public CERT first and the private KEY second. I noticed that another client fd had not been victim to the same error. So I regenerated the PEM for the offending fd.
My next step was to do a quick backup and restore of aten to prove it was now decryptable. However, a funny thing happened on the way to the forum. First I tested matthew to prove it was also decryptable with no configuration changes. The restore job went fine, until: aten-sd JobId 3747: Elapsed time=00:00:03, Transfer rate=466 Bytes/second matthew-fd JobId 3747: Warning: attribs.c:91 Cannot change owner and/or group of /tmp/restore/etc/sysconfig: ERR=Operación no permitida 133 -1 matthew-fd JobId 3747: Error: attribs.c:119 Unable to set file owner /tmp/restore/etc/sysconfig/sshd: ERR=Operación no permitida Which is logical, because my bacula processes run unprivileged, but highly undesirable, because it seems to imply that any large-scale restore will end up owned by bacula:bacula entirely, and I will need to guess the owner/group of each file? Or for a proper restore do I need to each time swap my configuration with a root-privileged fd service? Second unrelated snag: a "quick backup" of my server is not in the cards, because since the last successful Full ran on 3 August and the last successful Incremental ran on the 5th, I've been receiving this warning: aten-dir JobId 3750: No prior Full backup Job record found. aten-dir JobId 3750: No prior or suitable Full backup found in catalog. Doing FULL backup. aten-dir JobId 3750: Start Backup JobId 3750, Job=aten-Backup.2021-08-06_15.34.17_30 And the director goes on his merry way completely preventing me from doing the incremental at all. And there are plainly Full backup jobs listed in Baculum, so how can the Director be disagreeing with my view of reality? Sincerely, Robert On Fri, Aug 6, 2021 at 5:30 AM Heitor Faria <hei...@bacula.com.br> wrote: > Greetings, Bacula User Types! Long time no see! > > Hello Robert! > > Because I am in the throes of doing many dangerous maintenance tasks on my > server, I took the liberty of testing a few restores of critical files. I > was unsurprised to find that they all failed. > > aten-sd JobId 3746: Ready to read from volume "Vol0160" on File device > "FileStorage" (/backup). > aten-sd JobId 3746: Forward spacing Volume "Vol0160" to addr=7999614780 > aten-sd JobId 3746: Elapsed time=00:00:01, Transfer rate=2.608 K > Bytes/second > aten-fd JobId 3746: Error: openssl.c:68 Encryption session provided an > invalid symmetric key: ERR=error:0407109F:rsa > routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error > aten-fd JobId 3746: Error: openssl.c:68 Encryption session provided an > invalid symmetric key: ERR=error:04065072:rsa > routines:rsa_ossl_private_decrypt:padding check failed > aten-fd JobId 3746: Error: openssl.c:68 Encryption session provided an > invalid symmetric key: ERR=error:0607A082:digital envelope > routines:EVP_CIPHER_CTX_set_key_length:invalid key length > aten-fd JobId 3746: Error: restore.c:764 Failed to initialize decryption > context for /tmp/restore/etc/bind/bind.keys > > Now, the configuration docs say nothing about me needing to modify config, > as long as I have not lost keys, zorched the whole system, etc. > > This guy had the same error: < > https://stackoverflow.com/questions/39228128/cant-decrypt-rsa-data-with-open-ssl > > > > The troubleshooting docs, I must remark, are wafer-thin compared to the > complexity of this enterprise software application. I did a simple Ctrl-F > "crypt" and found no mention at all, not even in this section > <https://www.bacula.org/9.6.x-manuals/en/problems/Testing_Your_Tape_Drive_Wit.html#SECTION00431000000000000000> > ... > I cranked up verbosity and debugging on bacula-dir > > The encryption tasks are performed by the bacula-fd. > > and ran it in the foreground as prescribed, but there is no extra logging > anywhere that I can find (since Bacula refuses to conform to the FHS > Filesystem Hierarchy Standard, and I had old versions from Ubuntu's repos, > Bacula and its disused detritus is spreadeagled all over my filesystem like > a drunken octopus.) > > I don't think Bacula directory setup is related to your problem. > > So I must throw myself upon the mercy of the community to debug this. > Thanks. > > We like you, but the openssl community might be more qualified to answer > your question. > > Regards, > -- > > MSc Heitor Faria (Miami/USA) > Bacula LATAM CEO > mobile1: + 1 909 655-8971 > mobile2: + 55 61 98268-4220 > [image: linkedin icon] > <https://www.linkedin.com/in/msc-heitor-faria-5ba51b3> > [image: logo] <Http://www.bacula.com.br> > América Latina > bacula.lat | bacula.com.br <http://www.bacula.com.br> > >
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
