Your config and SSL are okay (the alert number 40 is just because the servername has not been specified)
Sorry, but I forgot to ask: Are your Client and your Director two different machines? If so, you don't need to install the Storage Daemon on the Client machine, since the SD is actually required to write Backups to storage devices, so it only needs to be connected to your Director (and your storage devices must also be connected to your Director). Only the File Daemon need to be installed on your Client side because he's like the Director's messenger who will be responsible for starting a backup/restore job in a given SD device and compress/encrypt your data. Unless you want to customize your configuration to further secure the communication (or not, by disabling TLS) between your Director and Client(*) by adding specific TLS certificates and keys, Bareos already automatically uses and configures TLS for network transport (*TLS Enable* directive is enabled by default), so there should be no such error. (*)*this config will be written in Director side in /etc/bareos/bareos-dir.d/client/ and not in Client Machine's.* On Tuesday, 8 September 2020 at 09:31:41 UTC+2 Yves wrote: > Hi Mohamed > > > > Thank you for your reply and picking up this question. > > > > This is the output of *journalctl -xe*: > > > > -- The start-up result is RESULT. > > Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Listening on GnuPG > cryptographic agent and passphrase cache (restricted). > > -- Subject: Unit UNIT has finished start-up > > -- Defined-By: systemd > > -- Support: http://www.ubuntu.com/support > > -- > > -- Unit UNIT has finished starting up. > > -- > > -- The start-up result is RESULT. > > Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Sockets. > > -- Subject: Unit UNIT has finished start-up > > -- Defined-By: systemd > > -- Support: http://www.ubuntu.com/support > > -- > > -- Unit UNIT has finished starting up. > > -- > > -- The start-up result is RESULT. > > Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Basic System. > > -- Subject: Unit UNIT has finished start-up > > -- Defined-By: systemd > > -- Support: http://www.ubuntu.com/support > > -- > > -- Unit UNIT has finished starting up. > > -- > > -- The start-up result is RESULT. > > Sep 08 09:18:39 bareos.xxxxxx systemd[1]: Started User Manager for UID 0. > > -- Subject: Unit [email protected] has finished start-up > > -- Defined-By: systemd > > -- Support: http://www.ubuntu.com/support > > -- > > -- Unit [email protected] has finished starting up. > > -- > > -- The start-up result is RESULT. > > Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Default. > > -- Subject: Unit UNIT has finished start-up > > -- Defined-By: systemd > > -- Support: http://www.ubuntu.com/support > > -- > > -- Unit UNIT has finished starting up. > > -- > > -- The start-up result is RESULT. > > Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Startup finished in 49ms. > > -- Subject: User manager start-up is now complete > > -- Defined-By: systemd > > -- Support: http://www.ubuntu.com/support > > -- > > -- The user manager instance for user 0 has been started. All services > queued > > -- for starting have been started. Note that other services might still be > starting > > -- up or be started at any later time. > > -- > > -- Startup of the manager took 49056 microseconds. > > Sep 08 09:19:17 bareos.xxxxxx sshd[28422]: Received disconnect from > xx.xx.xx.xx port 40624:11: Bye Bye [preauth] > > Sep 08 09:19:17 bareos.xxxxxx sshd[28422]: Disconnected from > authenticating user root xx.xx.xx.xx port 40624 [preauth] > > > > This is the content of the director daemon config: > > > > root@bareos:/etc/bareos/bareos-dir.d/director# cat bareos-dir.conf > > Director { # define myself > > Name = bareos-dir > > QueryFile = "/usr/lib/bareos/scripts/query.sql" > > Maximum Concurrent Jobs = 10 > > Password = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # Console > password > > Messages = Daemon > > Auditing = yes > > > > # Enable the Heartbeat if you experience connection losses > > # (eg. because of your router or firewall configuration). > > # Additionally the Heartbeat can be enabled in bareos-sd and bareos-fd. > > # > > # Heartbeat Interval = 1 min > > > > # remove comment in next line to load dynamic backends from specified > directory > > # Backend Directory = /usr/lib/bareos/backends > > > > # remove comment from "Plugin Directory" to load plugins from specified > directory. > > # if "Plugin Names" is defined, only the specified plugins will be > loaded, > > # otherwise all director plugins (*-dir.so) from the "Plugin Directory". > > # > > # Plugin Directory = "/usr/lib/bareos/plugins" > > # Plugin Names = "" > > } > > > > This is the content of the SD config: > > > > root@bareos:/etc/bareos/bareos-sd.d/storage# cat bareos-sd.conf > > Storage { > > Name = bareos-sd > > Maximum Concurrent Jobs = 20 > > > > # remove comment from "Plugin Directory" to load plugins from specified > directory. > > # if "Plugin Names" is defined, only the specified plugins will be > loaded, > > # otherwise all storage plugins (*-sd.so) from the "Plugin Directory". > > # > > # Plugin Directory = "/usr/lib/bareos/plugins" > > # Plugin Names = "" > > } > > > > The output of the *openssl*-command: > > > > # openssl s_client -connect XXXXXXXXXXXXX:9102 -state -nbio > > CONNECTED(00000005) > > Turned on non blocking io > > SSL_connect:before SSL initialization > > SSL_connect:SSLv3/TLS write client hello > > SSL_connect:error in SSLv3/TLS write client hello > > write R BLOCK > > SSL3 alert read:fatal:handshake failure > > SSL_connect:error in error > > 140619502105024:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert > handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40 > > --- > > no peer certificate available > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 7 bytes and written 328 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > --- > > > > Can you specify which log files in particular you are interested in? > > > > Regards > > Yves > > > > > > *From: *"[email protected]" <[email protected]> on > behalf of "[email protected]" <[email protected]> > *Date: *Tuesday, 8 September 2020 at 09:11 > *To: *bareos-users <[email protected]> > *Subject: *[bareos-users] Re: TLS Negotiation failed > > > > Hi Yves, > > > > Could you please share more details like *journalctl -xe, * your log > files, and eventually your Director and Storage Daemon config? > > > > You can also start by debugging/verifying your SSL connection: > > *$ openssl s_client -connect [client-fqdn/ip]:9102 -state -nbio* > > > > Cheers > Mohamed > > On Monday, 7 September 2020 at 09:34:11 UTC+2 Yves wrote: > > Dear reader > > > > Server version: 19.2.7-2 > > Client version: 19.2.7-2 > > > > Output of *journalctl status bareos-sd* on the client: > > *Connect failure: ERR=error:1417A0C1:SSL > routines:tls_post_process_client_hello:no shared cipher* > > *lib/bnet.cc:124 TLS Negotiation failed.* > > *Connect failure: ERR=error:1408F09C:SSL routines:ssl3_get_record:http > request* > > *lib/bnet.cc:124 TLS Negotiation failed.* > > *Connect failure: ERR=error:1408F10B:SSL routines:ssl3_get_record:wrong > version number* > > *lib/bnet.cc:124 TLS Negotiation failed.* > > Similar output on the server and backups are running fine. > > Server and client are running Ubuntu 18.04.4 on VMs. > > regards > > Yves > > -- > You received this message because you are subscribed to a topic in the > Google Groups "bareos-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/bareos-users/bJKm0XOqHL8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/311d9573-c8c0-4077-b0b2-fce352cc69ban%40googlegroups.com > > <https://groups.google.com/d/msgid/bareos-users/311d9573-c8c0-4077-b0b2-fce352cc69ban%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/ee6b671d-afb5-47d6-92f4-01b54b6a293cn%40googlegroups.com.
