On Friday, October 20, 2017 at 5:30:49 PM UTC+2, Oliver Hoffmann wrote: > Hi list, > > I tried to set up TLS for a while now. I am still clueless. > > I have > > Ubuntu 16.04.3 LTS server > Ubuntu 14.04.5 LTS client > bareos-dir Version: 16.2.4 and 17.2.3 > > I set up a CA with those scripts comming with Ubuntu. > > export OPENSSL_CONF=/root/myCA/openssl.cnf > /usr/lib/ssl/misc/CA.pl -newca > > In openssl.conf I changed countryName, commonName and so on accordingly. Rest > is more or less default. keyUsage = nonRepudiation, digitalSignature, > keyEncipherment. I tried other usages as well. digitalSignature, > nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, > cRLSign, encipherOnly, decipherOnly, clientAuth > > Then I used a different client.cnf for the certs and keys. In that the > commonName is the FQDN of the client and keyUsage = digitalSignature, > nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, > cRLSign, encipherOnly, decipherOnly > > export OPENSSL_CONF=/root/myCA/client.cnf > /usr/lib/ssl/misc/CA.pl -newreq > > But not for signing > > export OPENSSL_CONF=/root/myCA/openssl.cnf > /usr/lib/ssl/misc/CA.pl -sign > > cat newkey.pem newcert.pem > test-bareos-server.pem > > Removed the password > > openssl rsa -in test-bareos-server.pem -out test-bareos-server.pem > > So now I got a pem file for the server itself and a root certificate. > > I put this in all the configuration files involved: > > TLS Certificate = /etc/bareos/certs/test-bareos-server.pem > TLS Key = /etc/bareos/certs/test-bareos-server.pem > TLS CA Certificate File = /etc/bareos/certs/cacert.pem > TLS Enable = yes > TLS Require = no > TLS Verify Peer = no > > I repeated the above requesting and signing for a "real" client and again the > TLS options in fd.conf. Now with client.pem of course. > > That didn't work. I did the whole CA, req, sign again by hand so to say. > > Setting up CA > mkdir /root/myCA > Change of IP, FQDN of the server > nano openssl.cnf > export OPENSSL_CONF=/root/myCA/caconfig.cnf > openssl genrsa -out rootCA.key 2048 > openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out > rootCA.pem > > Next a client with its IP and FQDN in caconfig.cnf. > > openssl req -newkey rsa:4096 -subj /<IP> -config <(cat ~/myCA/caconfig.cnf) > -nodes -keyout client.key -out client.csr > > openssl x509 -req -in client.csr -CA newroot.pem -CAkey > ~/myCA/private/cakey.pem -CAcreateserial -out client.crt -days 3650 > > I put them together to one pem and copied it on the client. Still nothing. I > even tried tinyCA and Xca. > > The errors are: > > client (started with debug level of 200) > authenticate.c:74-0 Unable to authenticate Director test-bareos-dir. > > Server > 19-Oct 17:15 test-bareos-dir JobId 0: Fatal error: Unable to authenticate > with File daemon at "client-fd:9102". Possible causes: > Passwords or names not the same or > TLS negotiation failed or > Maximum Concurrent Jobs exceeded on the FD or > FD networking messed up (restart daemon). > > Whatever I do I always end up with these errors. Daemons are running, telnet > or running jobs without TLS all OK. > > Anyone using TLS and has some hints? > > Thank you, > > Oliver
Hi Bruno, on the client I added the following to sources.list: deb http://download.bareos.org/bareos/release/17.2/xUbuntu_14.04/ and on the server: deb http://download.bareos.org/bareos/release/17.2/xUbuntu_16.04/ / Thus Ubuntu versions are different though but not the bareos ones. Regards, Oliver -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
