Really still using 17.2 ? ;.-) I will make a rough guess, because you didn't precise which platform you use, not the whole certificate output openssl expirated CA, component, algo ?
Lot of things have changed since 2017 Maybe time to refresh the stack On Tuesday, July 26, 2022 at 4:13:07 PM UTC+2 [email protected] wrote: > We have a backup server with bareos installed. Recently I noticed that > some of clients are refused to back up. > > Looking into the logs I found a strange error reporting that certificate > is expired: > > > > 26-Jul 15:07 oc-dir JobId 81120: Start Backup JobId 81120, > Job=cms-server.2022-07-26_15.06.58_06 > > 26-Jul 15:07 oc-dir JobId 81120: Using Device "FileStorage.1" to write. > > 26-Jul 15:07 oc-dir JobId 81120: Error: tls_openssl.c:354 Error with > certificate at depth: 0, issuer = /CN=Puppet CA: bareos-server, subject = > /CN= cms-server, ERR=10:certificate has expired > > 26-Jul 15:07 oc-dir JobId 81120: Error: crypto_openssl.c:1559 Connect > failure: ERR=error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed > > 26-Jul 15:07 oc-dir JobId 81120: Fatal error: TLS negotiation failed. > > 26-Jul 15:07 oc-dir JobId 81120: Fatal error: Unable to authenticate with > File daemon at "cms-server:9102". Possible causes: > > Passwords or names not the same or > > TLS negotiation failed or > > Maximum Concurrent Jobs exceeded on the FD or > > FD networking messed up (restart daemon). > > Please see > http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors > > for help. > > 26-Jul 15:07 oc-dir JobId 81120: Fatal error: bsock_tcp.c:591 Packet size > too big from "Client: cms-server-fd:cms-server:9102. Terminating connection. > > 26-Jul 15:07 oc-dir JobId 81120: Fatal error: No Job status returned from > FD. > > 26-Jul 15:07 oc-dir JobId 81120: Error: Bareos oc-dir 17.2.4 (21Sep17): > > Build OS: x86_64-redhat-linux-gnu redhat CentOS Linux > release 7.4.1708 (Core > > > > > > (All hostnames above are changed) > > > > The problem that certificate actually is not expired. I have checked it on > both the server and client sides: > > > > [root@cms-server ~]# openssl x509 -in /etc/bareos/pki/bareos.ca -noout > -dates > > notBefore=Nov 2 12:19:15 2020 GMT > > notAfter=Oct 31 12:19:15 2030 GMT > > [root@ cms-server ~]# > > [root@cms-server ~]# > > [root@cms-server ~]# openssl x509 -in /etc/bareos/pki/bareos.crt -noout > -dates > > notBefore=Jan 20 11:40:46 2021 GMT > > notAfter=Jan 20 11:40:46 2026 GMT > > [root@cms-server ~]# > > [root@cms-server ~]# > > > > > > And my configuration on the client: > > [root@cms-server bareos-fd.d]# cat client/cms-server-fd.conf > > FileDaemon { > > Name = cms-server-fd > > TLS Enable = yes > > TLS Require = yes > > TLS Verify Peer = no > > TLS CA Certificate File = /etc/bareos/pki/bareos.ca > > TLS Certificate = /etc/bareos/pki/bareos.crt > > TLS Key = /etc/bareos/pki/bareos.key > > Heartbeat Interval = 120 > > Maximum Concurrent Jobs = 20 > > } > > > > [root@cms-server bareos-fd.d]# cat director/cms-server-fd-dir.conf > > Director { > > Name = oc-dir > > Password = "xxxxxxxxxxxxxxxxx" > > TLS Enable = yes > > TLS Require = yes > > TLS Verify Peer = no > > TLS CA Certificate File = /etc/bareos/pki/bareos.ca > > TLS Certificate = /etc/bareos/pki/bareos.crt > > TLS Key = /etc/bareos/pki/bareos.key > > } > > > > Director { > > Name = cms-server-mon > > Password = "xxxxxxxxxxxxxxxxx" > > Monitor = yes > > } > > > > > > Can you suggest where to find the problem? > > -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/a4127901-4535-4b16-92ea-909f8e06aacbn%40googlegroups.com.
