Hi Mohamed Yes, the client and the director in the example that was given are two different machines. I just checked the client and the only service (related to backup) that is running is the file daemon.
# systemctl status bareos-fd ● bareos-filedaemon.service - Bareos File Daemon service Loaded: loaded (/lib/systemd/system/bareos-filedaemon.service; enabled; vendor preset: enabled) And yes, your reference to SD has been “translated” to Storage Daemon … 😊 Regards Yves From: Mohamed Rouissi <[email protected]> Date: Tuesday, 8 September 2020 at 12:35 To: Yves De Ceuleners <[email protected]> Subject: Re: [bareos-users] Re: TLS Negotiation failed Your config and SSL are okay (the alert number 40 is just because the servername has not been specified) Sorry, but I forgot to ask: Are your Client and your Director two different machines? If so, you don't need to install the Storage Daemon on the Client machine, since the SD is actually required to write Backups to storage devices, so it only needs to be connected to your Director (and your storage devices must also be connected to your Director). Only the File Daemon need to be installed on your Client side because he's like the Director's messenger who will be responsible for starting a backup/restore job in a given SD device and compress/encrypt your data. Unless you want to customize your configuration to further secure the communication (or not, by disabling TLS) between your Director and Client(*) by adding specific TLS certificates and keys, Bareos already automatically uses and configures TLS for network transport (TLS Enable directive is enabled by default), so there should be no such error. (*)this config will be written in Director side in /etc/bareos/bareos-dir.d/client/ and not in Client Machine's. On Tue, 8 Sep 2020 at 09:31, Yves De Ceuleners <[email protected]<mailto:[email protected]>> wrote: Hi Mohamed Thank you for your reply and picking up this question. This is the output of journalctl -xe: -- The start-up result is RESULT. Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Listening on GnuPG cryptographic agent and passphrase cache (restricted). -- Subject: Unit UNIT has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit UNIT has finished starting up. -- -- The start-up result is RESULT. Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Sockets. -- Subject: Unit UNIT has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit UNIT has finished starting up. -- -- The start-up result is RESULT. Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Basic System. -- Subject: Unit UNIT has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit UNIT has finished starting up. -- -- The start-up result is RESULT. Sep 08 09:18:39 bareos.xxxxxx systemd[1]: Started User Manager for UID 0. -- Subject: Unit [email protected] has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit [email protected] has finished starting up. -- -- The start-up result is RESULT. Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Reached target Default. -- Subject: Unit UNIT has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit UNIT has finished starting up. -- -- The start-up result is RESULT. Sep 08 09:18:39 bareos.xxxxxx systemd[28267]: Startup finished in 49ms. -- Subject: User manager start-up is now complete -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The user manager instance for user 0 has been started. All services queued -- for starting have been started. Note that other services might still be starting -- up or be started at any later time. -- -- Startup of the manager took 49056 microseconds. Sep 08 09:19:17 bareos.xxxxxx sshd[28422]: Received disconnect from xx.xx.xx.xx port 40624:11: Bye Bye [preauth] Sep 08 09:19:17 bareos.xxxxxx sshd[28422]: Disconnected from authenticating user root xx.xx.xx.xx port 40624 [preauth] This is the content of the director daemon config: root@bareos:/etc/bareos/bareos-dir.d/director# cat bareos-dir.conf Director { # define myself Name = bareos-dir QueryFile = "/usr/lib/bareos/scripts/query.sql" Maximum Concurrent Jobs = 10 Password = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # Console password Messages = Daemon Auditing = yes # Enable the Heartbeat if you experience connection losses # (eg. because of your router or firewall configuration). # Additionally the Heartbeat can be enabled in bareos-sd and bareos-fd. # # Heartbeat Interval = 1 min # remove comment in next line to load dynamic backends from specified directory # Backend Directory = /usr/lib/bareos/backends # remove comment from "Plugin Directory" to load plugins from specified directory. # if "Plugin Names" is defined, only the specified plugins will be loaded, # otherwise all director plugins (*-dir.so) from the "Plugin Directory". # # Plugin Directory = "/usr/lib/bareos/plugins" # Plugin Names = "" } This is the content of the SD config: root@bareos:/etc/bareos/bareos-sd.d/storage# cat bareos-sd.conf Storage { Name = bareos-sd Maximum Concurrent Jobs = 20 # remove comment from "Plugin Directory" to load plugins from specified directory. # if "Plugin Names" is defined, only the specified plugins will be loaded, # otherwise all storage plugins (*-sd.so) from the "Plugin Directory". # # Plugin Directory = "/usr/lib/bareos/plugins" # Plugin Names = "" } The output of the openssl-command: # openssl s_client -connect XXXXXXXXXXXXX:9102 -state -nbio CONNECTED(00000005) Turned on non blocking io SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:error in SSLv3/TLS write client hello write R BLOCK SSL3 alert read:fatal:handshake failure SSL_connect:error in error 140619502105024:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 328 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- Can you specify which log files in particular you are interested in? Regards Yves From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> on behalf of "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, 8 September 2020 at 09:11 To: bareos-users <[email protected]<mailto:[email protected]>> Subject: [bareos-users] Re: TLS Negotiation failed Hi Yves, Could you please share more details like journalctl -xe, your log files, and eventually your Director and Storage Daemon config? You can also start by debugging/verifying your SSL connection: $ openssl s_client -connect [client-fqdn/ip]:9102 -state -nbio Cheers Mohamed On Monday, 7 September 2020 at 09:34:11 UTC+2 Yves wrote: Dear reader Server version: 19.2.7-2 Client version: 19.2.7-2 Output of journalctl status bareos-sd on the client: Connect failure: ERR=error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher lib/bnet.cc:124 TLS Negotiation failed. Connect failure: ERR=error:1408F09C:SSL routines:ssl3_get_record:http request lib/bnet.cc:124 TLS Negotiation failed. Connect failure: ERR=error:1408F10B:SSL routines:ssl3_get_record:wrong version number lib/bnet.cc:124 TLS Negotiation failed. Similar output on the server and backups are running fine. Server and client are running Ubuntu 18.04.4 on VMs. regards Yves -- You received this message because you are subscribed to a topic in the Google Groups "bareos-users" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/bareos-users/bJKm0XOqHL8/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/311d9573-c8c0-4077-b0b2-fce352cc69ban%40googlegroups.com<https://groups.google.com/d/msgid/bareos-users/311d9573-c8c0-4077-b0b2-fce352cc69ban%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/DB8PR10MB2876B4EF73E8346832DA8352F2270%40DB8PR10MB2876.EURPRD10.PROD.OUTLOOK.COM.
