On vendredi, 20 octobre 2017 17.30:49 h CEST Oliver Hoffmann wrote: > Hi list, > > I tried to set up TLS for a while now. I am still clueless. > > I have > > Ubuntu 16.04.3 LTS server > Ubuntu 14.04.5 LTS client > bareos-dir Version: 16.2.4 and 17.2.3 > > I set up a CA with those scripts comming with Ubuntu. > > export OPENSSL_CONF=/root/myCA/openssl.cnf > /usr/lib/ssl/misc/CA.pl -newca > > In openssl.conf I changed countryName, commonName and so on accordingly. > Rest is more or less default. keyUsage = nonRepudiation, digitalSignature, > keyEncipherment. I tried other usages as well. digitalSignature, > nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, > keyCertSign, cRLSign, encipherOnly, decipherOnly, clientAuth > > Then I used a different client.cnf for the certs and keys. In that the > commonName is the FQDN of the client and keyUsage = digitalSignature, > nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, > keyCertSign, cRLSign, encipherOnly, decipherOnly > > export OPENSSL_CONF=/root/myCA/client.cnf > /usr/lib/ssl/misc/CA.pl -newreq > > But not for signing > > export OPENSSL_CONF=/root/myCA/openssl.cnf > /usr/lib/ssl/misc/CA.pl -sign > > cat newkey.pem newcert.pem > test-bareos-server.pem > > Removed the password > > openssl rsa -in test-bareos-server.pem -out test-bareos-server.pem > > So now I got a pem file for the server itself and a root certificate. > > I put this in all the configuration files involved: > > TLS Certificate = /etc/bareos/certs/test-bareos-server.pem > TLS Key = /etc/bareos/certs/test-bareos-server.pem > TLS CA Certificate File = /etc/bareos/certs/cacert.pem > TLS Enable = yes > TLS Require = no > TLS Verify Peer = no > > I repeated the above requesting and signing for a "real" client and again > the TLS options in fd.conf. Now with client.pem of course. > > That didn't work. I did the whole CA, req, sign again by hand so to say. > > Setting up CA > mkdir /root/myCA > Change of IP, FQDN of the server > nano openssl.cnf > export OPENSSL_CONF=/root/myCA/caconfig.cnf > openssl genrsa -out rootCA.key 2048 > openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out > rootCA.pem > > Next a client with its IP and FQDN in caconfig.cnf. > > openssl req -newkey rsa:4096 -subj /<IP> -config <(cat ~/myCA/caconfig.cnf) > -nodes -keyout client.key -out client.csr > > openssl x509 -req -in client.csr -CA newroot.pem -CAkey > ~/myCA/private/cakey.pem -CAcreateserial -out client.crt -days 3650 > > I put them together to one pem and copied it on the client. Still nothing. I > even tried tinyCA and Xca. > > The errors are: > > client (started with debug level of 200) > authenticate.c:74-0 Unable to authenticate Director test-bareos-dir. > > Server > 19-Oct 17:15 test-bareos-dir JobId 0: Fatal error: Unable to authenticate > with File daemon at "client-fd:9102". Possible causes: Passwords or names > not the same or > TLS negotiation failed or > Maximum Concurrent Jobs exceeded on the FD or > FD networking messed up (restart daemon). > > Whatever I do I always end up with these errors. Daemons are running, telnet > or running jobs without TLS all OK. > > Anyone using TLS and has some hints? > > Thank you, > > Oliver
Hi Oliver, you didn't precise from where coming your bareos client If it not come from bareos.org there's chance that they are build against gnutls and will propably have troubles. encryption is supported when bareos is build against openssl . -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot openSUSE Tumbleweed Linux 4.13.6-1-default x86_64 GNU/Linux, nvidia: 384.90 Qt: 5.9.1, KDE Frameworks: 5.38.0, Plasma: 5.11.0, kmail2 5.6.1 -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
