On lundi, 23 octobre 2017 14.19:22 h CEST Oliver Hoffmann wrote: > On Friday, October 20, 2017 at 5:30:49 PM UTC+2, Oliver Hoffmann wrote: > > Hi list, > > > > I tried to set up TLS for a while now. I am still clueless. > > > > I have > > > > Ubuntu 16.04.3 LTS server > > Ubuntu 14.04.5 LTS client > > bareos-dir Version: 16.2.4 and 17.2.3 > > > > I set up a CA with those scripts comming with Ubuntu. > > > > export OPENSSL_CONF=/root/myCA/openssl.cnf > > /usr/lib/ssl/misc/CA.pl -newca > > > > In openssl.conf I changed countryName, commonName and so on accordingly. > > Rest is more or less default. keyUsage = nonRepudiation, > > digitalSignature, keyEncipherment. I tried other usages as well. > > digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, > > keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly, > > clientAuth > > > > Then I used a different client.cnf for the certs and keys. In that the > > commonName is the FQDN of the client and keyUsage = digitalSignature, > > nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, > > keyCertSign, cRLSign, encipherOnly, decipherOnly > > > > export OPENSSL_CONF=/root/myCA/client.cnf > > /usr/lib/ssl/misc/CA.pl -newreq > > > > But not for signing > > > > export OPENSSL_CONF=/root/myCA/openssl.cnf > > /usr/lib/ssl/misc/CA.pl -sign > > > > cat newkey.pem newcert.pem > test-bareos-server.pem > > > > Removed the password > > > > openssl rsa -in test-bareos-server.pem -out test-bareos-server.pem > > > > So now I got a pem file for the server itself and a root certificate. > > > > I put this in all the configuration files involved: > > TLS Certificate = /etc/bareos/certs/test-bareos-server.pem > > TLS Key = /etc/bareos/certs/test-bareos-server.pem > > TLS CA Certificate File = /etc/bareos/certs/cacert.pem > > TLS Enable = yes > > TLS Require = no > > TLS Verify Peer = no > > > > I repeated the above requesting and signing for a "real" client and again > > the TLS options in fd.conf. Now with client.pem of course. > > > > That didn't work. I did the whole CA, req, sign again by hand so to say. > > > > Setting up CA > > mkdir /root/myCA > > Change of IP, FQDN of the server > > nano openssl.cnf > > export OPENSSL_CONF=/root/myCA/caconfig.cnf > > openssl genrsa -out rootCA.key 2048 > > openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out > > rootCA.pem > > > > Next a client with its IP and FQDN in caconfig.cnf. > > > > openssl req -newkey rsa:4096 -subj /<IP> -config <(cat > > ~/myCA/caconfig.cnf) -nodes -keyout client.key -out client.csr > > > > openssl x509 -req -in client.csr -CA newroot.pem -CAkey > > ~/myCA/private/cakey.pem -CAcreateserial -out client.crt -days 3650 > > > > I put them together to one pem and copied it on the client. Still nothing. > > I even tried tinyCA and Xca. > > > > The errors are: > > > > client (started with debug level of 200) > > authenticate.c:74-0 Unable to authenticate Director test-bareos-dir. > > > > Server > > 19-Oct 17:15 test-bareos-dir JobId 0: Fatal error: Unable to authenticate > > with File daemon at "client-fd:9102". Possible causes: Passwords or names > > not the same or > > TLS negotiation failed or > > Maximum Concurrent Jobs exceeded on the FD or > > FD networking messed up (restart daemon). > > > > Whatever I do I always end up with these errors. Daemons are running, > > telnet or running jobs without TLS all OK. > > > > Anyone using TLS and has some hints? > > > > Thank you, > > > > Oliver > > Hi Bruno, > > > on the client I added the following to sources.list: > > deb http://download.bareos.org/bareos/release/17.2/xUbuntu_14.04/ > > and on the server: > > deb http://download.bareos.org/bareos/release/17.2/xUbuntu_16.04/ / > > Thus Ubuntu versions are different though but not the bareos ones. > > Regards, > > Oliver
Excellent first step :-) Now you have to check twice the certificate used and how they've been generated. Have a look at the documentation, in some parts you needed server certificate and on the other client. I'm too lazy to split strict roles when I'm doing this kind of setup, and so all my generated certs are valid for server and client role. That's ease my life for sure. What about yours ? -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot openSUSE Tumbleweed Linux 4.13.6-1-default x86_64 GNU/Linux, nvidia: 384.90 Qt: 5.9.1, KDE Frameworks: 5.38.0, Plasma: 5.11.0, kmail2 5.6.1 -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
