Hello, I am trying to solve this problem with csync2.
To keep it simple , I made a simple test from server master(Anuket 192.168.1.30) to sever slave (Atum 192.168.1.31). Eache server can be reached: From Anuket: root@Anuket:~# ping atum PING atum.local.net (192.168.1.31) 56(84) bytes of data. 64 bytes from atum.local.net (192.168.1.31): icmp_req=1 ttl=64 time=0.524 ms 64 bytes from atum.local.net (192.168.1.31): icmp_req=2 ttl=64 time=0.556 ms root@Anuket:~# cat /etc/hosts 127.0.0.1 anuket ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.30 anuket.local.net Anuket 192.168.1.31 atum.local.net Atum From Atum: root@Atum:~# ping anuket PING anuket.local.net (192.168.1.30) 56(84) bytes of data. 64 bytes from anuket.local.net (192.168.1.30): icmp_req=1 ttl=64 time=0.624 ms 64 bytes from anuket.local.net (192.168.1.30): icmp_req=2 ttl=64 time=0.499 ms root@Atum:~# cat /etc/hosts hosts hosts.allow hosts.deny root@Atum:~# cat /etc/hosts hosts hosts.allow hosts.deny root@Atum:~# cat /etc/hosts 127.0.0.1 atum ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.30 anuket.local.net Anuket 192.168.1.31 atum.local.net Atum Versions: root@Anuket:~# gnutls-cli -v gnutls-cli (GnuTLS) 2.12.20 Packaged by Debian (2.12.20-8+deb7u3) root@Anuket:~# csync2 -v csync2 2.0 - cluster synchronization tool, 2nd generation Copyright (C) 2004 - 2013 LINBIT Information Technologies GmbH The certification generated using the information from PAPER. from the directory where the source is: make cert The csync2 key was generated: csync2 -k /etc/csync2.key_mygroup And then transfered to node2 (Atum): scp csync2.key_mygroup root@192.168.1.31:/etc/csync2/csync2.key_mygroupscp csync2_ssl_cert.pem root@192.168.1.31:/etc/csync2/csync2_ssl_cert.pem Csync2 was compiled using SSL support: ./configure --prefix=/usr --sysconfdir=/etc/csync2 &&make Configuration os csync2.cfg the same file on both node (anuket and atum): root@Anuket:/etc/csync2# cat csync2.cfg # Csync2 Example Configuration File # --------------------------------- # # Please read the documentation: # http://oss.linbit.com/csync2/paper.pdf #nossl * *; #nossl *-sync *-sync; group mygroup { host (Anuket) Atum; # host host4@host4-eth2; # key /etc/csync2/csync2.key_mygroup; # # # # # WARNING: # # You CANNOT use paths containing a symlink # # component in include/exclude options! # # # # Here is a real-life example: # # Suppose you have some 64bit Linux systems # # and /usr/lib/ocf is what you want to keep # # in sync. On 64bit Linux systems, /usr/lib # # is usually a symlink to /usr/lib64. # # This does not work: # # include /usr/lib/ocf; # # But this does work: # # include /usr/lib64/ocf; # # # include /var/www; # include %homedir%/bob; # exclude %homedir%/bob/temp; # exclude *~ .*; # action { # pattern /etc/apache/httpd.conf; # pattern /etc/apache/sites-available/*; # exec "/usr/sbin/apache2ctl graceful"; logfile "/var/log/csync2_action.log"; # do-local; # # you can use do-local-only if the execution # # should be done locally only # # do-local-only; } # # # The backup-directory needs to be created first! # backup-directory /var/backups/csync2; # backup-generations 3; # auto younger; } # # prefix homedir # { # on host[12]: /export/users; # on *: /home; # } root@Anuket:/etc/csync2# Configuration of openssl.cfg: root@Anuket:/etc/ssl# cat openssl.cnf # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = SP countryName_default = SP countryName_min = 2 countryName_max = 2 stateOrProvinceName = Barcelona BstateOrProvinceName_default = Barcelona localityName = Barcelona 0.organizationName = tecxred 0.organizationName_default = tecxred # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Departamentos de sistemas #organizationalUnitName_default = commonName = Anuket commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = 12345678 challengePassword_min = 4 challengePassword_max = 20 unstructuredName = tecxred [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo #################################################################### [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] # These are used by the TSA reply generation only. dir = ./demoCA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = md5, sha1 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) root@Anuket:/etc/ssl# Rrunning in debug mode: Anuket: csync2 -xvvv Atum: csync2 -iivvv And this is the error: SQL Query finished. Don't check at all: /var/tmp Don't check at all: /var/swap Don't check at all: /var/spool Don't check at all: /var/run Don't check at all: /var/opt Don't check at all: /var/mail Don't check at all: /var/log Don't check at all: /var/lock Don't check at all: /var/local Don't check at all: /var/lib Don't check at all: /var/cache Don't check at all: /var/backups Don't check at all: /usr Don't check at all: /tmp Don't check at all: /sys Don't check at all: /srv Don't check at all: /selinux Don't check at all: /sbin Don't check at all: /run Don't check at all: /root Don't check at all: /proc Don't check at all: /opt Don't check at all: /mnt Don't check at all: /media Don't check at all: /lost+found Don't check at all: /lib Don't check at all: /home Don't check at all: /etc Don't check at all: /dev Don't check at all: /boot Don't check at all: /bin SQL: SELECT peername FROM dirty GROUP BY peername SQL Query finished. SQL: SELECT filename, myname, forced FROM dirty WHERE peername = 'atum' ORDER by filename ASC SQL Query finished. Connecting to host atum (SSL) ... Connect to 192.168.1.31:30865 (atum). Local> SSL\n Peer> OK (activating_ssl).\n response from peer(<no file>): atum [7] <- OK (activating_ssl). ASSERT: gnutls_constate.c:695 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_ARCFOUR_MD5 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 HSK[0x1b75ec0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 HSK[0x1b75ec0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 EXT[0x1b75ec0]: Sending extension SAFE RENEGOTIATION (1 bytes) EXT[SIGA]: sent signature algo (4.2) DSA-SHA256 EXT[SIGA]: sent signature algo (4.1) RSA-SHA256 EXT[SIGA]: sent signature algo (2.1) RSA-SHA1 EXT[SIGA]: sent signature algo (2.2) DSA-SHA1 EXT[0x1b75ec0]: Sending extension SIGNATURE ALGORITHMS (10 bytes) HSK[0x1b75ec0]: CLIENT HELLO was sent [112 bytes] HSK[0x1b75ec0]: SERVER HELLO was received [81 bytes] HSK[0x1b75ec0]: Server's version: 3.3 HSK[0x1b75ec0]: SessionID length: 32 HSK[0x1b75ec0]: SessionID: e63f2e334b3b948ff1f049d0bd867af7f2cd6de8238fe33ae85c52ab05a3a554 HSK[0x1b75ec0]: Selected cipher suite: RSA_ARCFOUR_SHA1 EXT[0x1b75ec0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) HSK[0x1b75ec0]: Safe renegotiation succeeded HSK[0x1b75ec0]: CERTIFICATE was received [451 bytes] ASSERT: ext_signature.c:393 HSK[0x1b75ec0]: CERTIFICATE REQUEST was received [89 bytes] EXT[SIGA]: rcvd signature algo (4.2) DSA-SHA256 EXT[SIGA]: rcvd signature algo (4.1) RSA-SHA256 EXT[SIGA]: rcvd signature algo (2.1) RSA-SHA1 EXT[SIGA]: rcvd signature algo (2.2) DSA-SHA1 HSK[0x1b75ec0]: SERVER HELLO DONE was received [4 bytes] HSK[0x1b75ec0]: CERTIFICATE was sent [451 bytes] HSK[0x1b75ec0]: CLIENT KEY EXCHANGE was sent [134 bytes] sign handshake cert vrfy: picked RSA-SHA256 with SHA256 HSK[0x1b75ec0]: CERTIFICATE VERIFY was sent [136 bytes] REC[0x1b75ec0]: Sent ChangeCipherSpec HSK[0x1b75ec0]: Cipher Suite: RSA_ARCFOUR_SHA1 HSK[0x1b75ec0]: Initializing internal [write] cipher sessions HSK[0x1b75ec0]: recording tls-unique CB (send) HSK[0x1b75ec0]: FINISHED was sent [16 bytes] ASSERT: ext_session_ticket.c:710 ASSERT: gnutls_buffers.c:640 ASSERT: gnutls_record.c:969 ASSERT: gnutls_handshake.c:2933 ASSERT: gnutls_handshake.c:3139 ASSERT: gnutls_record.c:276 SSL: handshake failed: A TLS packet with unexpected length was received. (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) SQL: COMMIT root@Anuket:/etc/ssl# What can be wrong? What is the cause that is not working? #### SSL: handshake failed: A TLS packet with unexpected length was received. (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) #### Testing from Raspberrypi: root@Anuket:/etc/ssl# uname -a Linux Anuket 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 armv7l GNU/Linux root@Anuket:/etc/ssl# Karim Karim
_______________________________________________ Csync2 mailing list Csync2@lists.linbit.com http://lists.linbit.com/mailman/listinfo/csync2