It seems that the Bareos daemons neither try to reread configured X.509 CRLs from file system if they expire nor if the daemon receives a SIGHUP. For example when a file daemon's CRL expired and the director tries to connect, the following messages are displayed at the director (which by the way do not describe the problem at hand very accurately):
26-Apr 20:52 alpha-dir JobId 0: Fatal error: TLS negotiation
failed with FD at "beta.example.com:9102".
26-Apr 20:53 alpha-dir JobId 0: Error: crypto_openssl.c:1475
Connect failure: ERR=error:14094415:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate expired
After placing an updated CRL on the expected file system location and
restarting the file daemon the connection can be successfully
established again.
Now my question is if there is a way other than restarting the daemon to
force it to reread the CRL from file system. Because having to restart
the daemons daily is quite annoying and could also break running jobs if
not planned very well.
On the other hand I'd like to recommend to let the daemons automatically
reread the CRLs if they expire or if the expected file changed or at
least on a manual SIGHUP.
smime.p7s
Description: S/MIME cryptographic signature
