Good morning again, After more trying out, I discovered that bareos actually expects client certificates. I followed this tutorial here: https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html and created client certificates for bareos01-fd, bareos02-fd, bareos-dir and possibly monitor on their respective servers
Common Names then for the clients: [email protected] bareos02-fdserver02.example.com [email protected] Then server certificates for both servers (each having their Common Name equally to their address) server01.example.com server02.example.com The names for the clients and servers don't seem to matter. Then in the config files you need to deploy server certificates for the incoming connecting client, and at time client certificates if a client needs to identify itself. In bareos-dir.d/director/bareos-dir.conf you need to check if the incoming connection from the monitor is valid: #TLS TLS Enable = yes TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = [email protected] TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem TLS Key = /etc/bareos/tls/server01.example.com.key.pem In bareos-dir.d/client/bareos02.conf you define the client to connect to as director, and describe the client certificate the director will use to connect with to the client. Here the CN is important, as that is checked in client connections. Address = server02.example.com #Example for separate server #TLS TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem # This is a client certificate, used by the director to # connect to the file daemon TLS Certificate = /etc/bareos/tls/[email protected] #Director is on server01 TLS Key = /etc/bareos/tls/[email protected] In bareos-fd.d/client/client02.conf you define the FD client on that server and offer a client certificate # You need these TLS entries so the SD and FD can # communicate TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem TLS Certificate = /etc/bareos/tls/[email protected] # Example for other server TLS Key = /etc/bareos/tls/[email protected] In bareos-fd.d/.. and bareos-sd.d/director/bareos-dir.conf (and also in bareos-fd.d) you need to verify the incoming director connection, and offer a server certificate: #TLS TLS Enable = yes TLS Require = yes # Require the connecting director to provide a certificate # with the matching CN. TLS Verify Peer = yes TLS Allowed CN = [email protected] TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem # This is a server certificate. It is used by the connecting # director to verify the authenticity of this storage daemon TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem TLS Key = /etc/bareos/tls/server01.example.com.key.pem In bareos-sd.d/storage/bareos-sd.conf you get the exception according to the documentation, in which you do not need verification. # These TLS configuration options are used for incoming # file daemon connections. Director TLS settings are handled # below. TLS Enable = yes TLS Require = yes # Peer certificate is not required/requested -- peer validity # is verified by the storage connection cookie provided to the # File Daemon by the director. TLS Verify Peer = no TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem # This is a server certificate. It is used by connecting # file daemons to verify the authenticity of this storage daemon TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem TLS Key = /etc/bareos/tls/server01.example.com.key.pem ___ The part I am not sure about, and connect test, is the following (but I'm not getting errors) In bconsole.conf you need to offer the option for encrypted bconsole communication Address = server01.example.com TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem TLS Certificate = /etc/bareos/tls/[email protected] TLS Key = /etc/bareos/tls/[email protected] In bareos-dir.d/console/console.conf you add these settings as well: #TLS TLS Enable = yes TLS Require = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = "[email protected]" TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem # This is a server certificate. It is used by connecting # directors to verify the authenticity of this file daemon TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem TLS Key = /etc/bareos/tls/server01.example.com.key.pem } ____ I hope this helps someone else, and this can inspire the manual maintainers. Michel ----- Original Message ----- > step 3.: "Michel V" <[email protected]> > To: "bareos-users" <[email protected]> > Sent: Monday, 2 January, 2017 9:01:19 AM > Subject: [bareos-users] TLS setup: what Common Name (CN) to use for > certificates for which names? > > Hey all, > > I have a working setup with jobs that work. Extended to two machines, > and that also works. Now I would like to implement TLS for > communication between the different machines, but I'm lost in > options. > (And I've reread docs many times). > > For sake of simplicity: > > Two separate servers > server01 on server01.example.com > server02 on server02.example.com > > Director: bareos-dir on server01 > Client1: bareos01-fd on server01 > Client1: bareos02-fd on server02 > Storage: bareos-sd on server01 > > bconsole: on server01 > > I am creating my own certificates. so can choose the Common Name in > there. > But up to now, no luck in getting it working, although certificates > are valid. Probably due to my lack of understanding which Common > Name should be used for which program on which server. Documentation > is not making it any clearer, and the mailing list does not show > explicit examples. > > Current error message in bconsole: Connect failure: > ERR=error:140940F5:SSL routines:ssl3_read_bytes:unexpected record > > My questions: > 1.Common Name to use > Eg for bareos-dir. Should that be server01.example.com, or > bareos-dir.server01.example.com or should I use a client certificate > [email protected] > Same holds for Client 1 and 2: what to use? > > Please note that I started with simple certificates for > server01.example.com for Director, Client1 and Storage, but no luck > there. > Could someone write out this for the two clients, to make it easier > to understand? > > 2. Name in config > Should I keep with bareos-dir, bareos01-fd etc, or should those be > FQDN names as well, eg bareos-dir.example.com? > > 3. Certificate checking > Is the certificate checked against the name (bareos-dir etc), or > against the server location? > > 4. bconsole > Can bconsole also be secured, as there is no mention of that in the > manual? > > With all the best for 2017, > > Michel > > -- > You received this message because you are subscribed to the Google > Groups "bareos-users" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
