Hey Bruno, thanks! Yeah, it is pretty ancient I agree. But there are no reasons to upgrade this complicated and already well-worked setup, since we are going to dispose it as well as all the on-premises infrustructure we have in the next 6-9 months. Until that it'd be nice to have a proper backup and existing solution not giving much effort to it.
It is funny, but somehow it got fixed. First I generated new self signed CA cert/keypair, signed client CSR/KEY/CRT and installed that on the client and updated the client configuration on the server side. It refused to accept these certificates. Then I reverted everything back and it magically started to work again. It is strange since I restarted servers on both sides multiple times before and it didn't help. Only after playing with certificates and reverting then everything back fixed the problem. :-) среда, 27 июля 2022 г. в 14:02:14 UTC+2, Bruno Friedmann: > Really still using 17.2 ? ;.-) > > I will make a rough guess, because you didn't precise which platform you > use, not the whole certificate output > openssl expirated CA, component, algo ? > > Lot of things have changed since 2017 > Maybe time to refresh the stack > On Tuesday, July 26, 2022 at 4:13:07 PM UTC+2 [email protected] wrote: > >> We have a backup server with bareos installed. Recently I noticed that >> some of clients are refused to back up. >> >> Looking into the logs I found a strange error reporting that certificate >> is expired: >> >> >> >> 26-Jul 15:07 oc-dir JobId 81120: Start Backup JobId 81120, >> Job=cms-server.2022-07-26_15.06.58_06 >> >> 26-Jul 15:07 oc-dir JobId 81120: Using Device "FileStorage.1" to write. >> >> 26-Jul 15:07 oc-dir JobId 81120: Error: tls_openssl.c:354 Error with >> certificate at depth: 0, issuer = /CN=Puppet CA: bareos-server, subject = >> /CN= cms-server, ERR=10:certificate has expired >> >> 26-Jul 15:07 oc-dir JobId 81120: Error: crypto_openssl.c:1559 Connect >> failure: ERR=error:14090086:SSL >> routines:ssl3_get_server_certificate:certificate verify failed >> >> 26-Jul 15:07 oc-dir JobId 81120: Fatal error: TLS negotiation failed. >> >> 26-Jul 15:07 oc-dir JobId 81120: Fatal error: Unable to authenticate with >> File daemon at "cms-server:9102". Possible causes: >> >> Passwords or names not the same or >> >> TLS negotiation failed or >> >> Maximum Concurrent Jobs exceeded on the FD or >> >> FD networking messed up (restart daemon). >> >> Please see >> http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors >> >> for help. >> >> 26-Jul 15:07 oc-dir JobId 81120: Fatal error: bsock_tcp.c:591 Packet size >> too big from "Client: cms-server-fd:cms-server:9102. Terminating connection. >> >> 26-Jul 15:07 oc-dir JobId 81120: Fatal error: No Job status returned from >> FD. >> >> 26-Jul 15:07 oc-dir JobId 81120: Error: Bareos oc-dir 17.2.4 (21Sep17): >> >> Build OS: x86_64-redhat-linux-gnu redhat CentOS Linux >> release 7.4.1708 (Core >> >> >> >> >> >> (All hostnames above are changed) >> >> >> >> The problem that certificate actually is not expired. I have checked it >> on both the server and client sides: >> >> >> >> [root@cms-server ~]# openssl x509 -in /etc/bareos/pki/bareos.ca -noout >> -dates >> >> notBefore=Nov 2 12:19:15 2020 GMT >> >> notAfter=Oct 31 12:19:15 2030 GMT >> >> [root@ cms-server ~]# >> >> [root@cms-server ~]# >> >> [root@cms-server ~]# openssl x509 -in /etc/bareos/pki/bareos.crt -noout >> -dates >> >> notBefore=Jan 20 11:40:46 2021 GMT >> >> notAfter=Jan 20 11:40:46 2026 GMT >> >> [root@cms-server ~]# >> >> [root@cms-server ~]# >> >> >> >> >> >> And my configuration on the client: >> >> [root@cms-server bareos-fd.d]# cat client/cms-server-fd.conf >> >> FileDaemon { >> >> Name = cms-server-fd >> >> TLS Enable = yes >> >> TLS Require = yes >> >> TLS Verify Peer = no >> >> TLS CA Certificate File = /etc/bareos/pki/bareos.ca >> >> TLS Certificate = /etc/bareos/pki/bareos.crt >> >> TLS Key = /etc/bareos/pki/bareos.key >> >> Heartbeat Interval = 120 >> >> Maximum Concurrent Jobs = 20 >> >> } >> >> >> >> [root@cms-server bareos-fd.d]# cat director/cms-server-fd-dir.conf >> >> Director { >> >> Name = oc-dir >> >> Password = "xxxxxxxxxxxxxxxxx" >> >> TLS Enable = yes >> >> TLS Require = yes >> >> TLS Verify Peer = no >> >> TLS CA Certificate File = /etc/bareos/pki/bareos.ca >> >> TLS Certificate = /etc/bareos/pki/bareos.crt >> >> TLS Key = /etc/bareos/pki/bareos.key >> >> } >> >> >> >> Director { >> >> Name = cms-server-mon >> >> Password = "xxxxxxxxxxxxxxxxx" >> >> Monitor = yes >> >> } >> >> >> >> >> >> Can you suggest where to find the problem? >> >> -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/61d5ce63-f405-4dea-b182-f67d39b9d9f7n%40googlegroups.com.
