Hi Bruno, Thank you for your kind reply !
I reinstalled a stable version bareos-fd 16.2.4 on my windows 2016. This is exactly the same version on the linux side with bareos-dir and bareos-sd. I checked my certificates they seem correct (modulus of private key and certifcate match). I used easyrsa to generate my PKI (I'm not a pki expert). Can you tell me how did you generate yours ? I have created a CA and used it for bacula-fd certificates. 2017-05-18 8:45 GMT+02:00 Bruno Friedmann <[email protected]>: > On lundi, 15 mai 2017 16.54:08 h CEST Nicolas Greneche wrote: >> Hi, >> >> I have a TLS connection issue with Bareos Client >> "winbareos-17.1.3.1491573777.248ae67-postvista-64-bit-r208.1" on windows >> server 2016. >> >> I cannot connect through TLS. I have the following setup : >> >> Client { >> Name = cc-ad2-fd >> Maximum Concurrent Jobs = 20 >> Heartbeat Interval = 120 >> TLS Enable = yes >> TLS Require = yes >> TLS CA Certificate File = c:/ProgramData/Bareos/ca.crt >> TLS Certificate = c:/ProgramData/Bareos/client.crt >> TLS Key = c:/ProgramData/Bareos/client.key >> compatible = no >> } >> >> Director { >> Name = bareos-dir >> Password = "papass" >> TLS Enable = yes >> TLS Require = yes >> TLS Verify Peer = no >> TLS CA Certificate File = "c:/ProgramData/Bareos/ca.crt" >> TLS Certificate = "c:/ProgramData/Bareos/client.crt" >> TLS Key = "c:/ProgramData/Bareos/client.key" >> } >> >> The CN in the certificate matches the FQDN of the client. >> The modulus of private key and related certificate match. >> >> When I try to make a TLS connection from Bareos i Have the following message >> : >> >> 11-mai 11:58 bareos-dir JobId 0: Error: crypto_openssl.c:1486 Connect >> failure: ERR=error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert >> unsupported certificate 11-mai 11:58 bareos-dir JobId 0: Fatal error: TLS >> negotiation failed. 11-mai 11:58 bareos-dir JobId 0: Fatal error: Unable to >> authenticate with File daemon at "gw-mshpn.mshparisnord.fr:9102". Possible >> causes: Passwords or names not the same or >> TLS negotiation failed or >> Maximum Concurrent Jobs exceeded on the FD or >> FD networking messed up (restart daemon). >> >> There are two strange things : >> >> 1) If i change the path of the certificate in configuration to a wrong path, >> Bareos client starts. >> >> 2) When I try to make a raw connection using openssl s_client, it fails >> finding a certificate : >> >> root@one-node01:~# openssl s_client -connect client:9102 (-ssl3, -tls1, >> -tls1_2) CONNECTED(00000003) >> write:errno=104 >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 0 bytes and written 289 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : 0000 >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> Key-Arg : None >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1494866573 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> >> Does someone have an idea ? >> >> Thank you ! >> >> Nico > > Could you verify the usage of certificates, there's a difference between > client role and server role. > Documentation has some explanations, which still can be improved :-) > > In my case I've made my certificate valid for server and client role. > In the meantime, as you're using daily build, perhaps it has been a transiant > error. You could try if a newer build has fixes. > > -- > > Bruno Friedmann > Ioda-Net Sàrl www.ioda-net.ch > Bareos Partner, openSUSE Member, fsfe fellowship > GPG KEY : D5C9B751C4653227 > irc: tigerfoot > > openSUSE Tumbleweed > Linux 4.10.13-1-default x86_64 GNU/Linux, nvidia: 375.66 > Qt: 5.7.1, KDE Frameworks: 5.33.0, Plasma: 5.9.5, kmail2 5.5.0 > > -- > You received this message because you are subscribed to a topic in the Google > Groups "bareos-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/bareos-users/knA5mBTlNhQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
