Re: [Bacula-users] TLS problem

Zsolt Kozak Thu, 25 Mar 2010 09:47:16 -0700

Hi there,

Finally I could fix the issue. :) The problem was with the FQDN... My
Bacula-components used IP address instead of FQDN... It worked until I did
not useTLS, but needed FQDN to make TLS working. ;)


cheers,
Zsolt

On Wed, Mar 24, 2010 at 6:55 PM, Zsolt Kozak <[email protected]> wrote:

> Hi there,
>
> I googled around quite lot and got no answer for my TLS-issue, so I'm
> trying this email list.
>
> First of all I have a tested Bacula-system with working director, storage,
> filedaemon, bat and bconsole. I tried to set TLS in each components but
> failed, so I thought I was trying it step by step. My first step was making
> a TLS-communication between the director and a bconsole only. I failed. :(
> It's interesting that it seemed that the TLS-communication was set up on the
> director side correctly, it failed on the bconsole side only.
>
> Here is the debug messages on both sides.
>
> director:
>
> bacula-dir: bnet.c:669-0 who=client host=192.168.99.55 port=36131
> bacula-dir: jcr.c:841-0 set_jcr_job_status(*System*, C)
> bacula-dir: jcr.c:850-0 OnEntry JobStatus=bacula-dir: jcr.c:861-0 Set new
> stat. old: bacula-dir: jcr
> .c:866-0 leave set_job_status old=bacula-dir: job.c:1349-0
> wstorage=InternalStorage
> bacula-dir: job.c:1358-0 wstore=InternalStorage where=Pool resource
> bacula-dir: job.c:1010-0 JobId=0 created
> Job=-Console-.2010-03-24_18.42.43_02
> bacula-dir: jcr.c:841-0
> set_jcr_job_status(-Console-.2010-03-24_18.42.43_02, R)
> bacula-dir: jcr.c:850-0 OnEntry JobStatus=C newJobstatus=R
> bacula-dir: jcr.c:861-0 Set new stat. old: C,0 new: R,0
> bacula-dir: jcr.c:866-0 leave set_job_status old=C new=R
> bacula-dir: cram-md5.c:73-0 send: auth cram-md5
> <1970824079.1269452...@bacula-dir> ssl=2
> bacula-dir: cram-md5.c:133-0 cram-get received: auth cram-md5
> <1490485609.1269452...@bconsole> ssl=2
> bacula-dir: cram-md5.c:152-0 sending resp to challenge:
> sH0FRSMzF1+uG4Ab6CJIQD
> bacula-dir: bnet.c:262-0 TLS server negotiation established.
> bacula-dir: watchdog.c:193-0 Registered watchdog 8bdcce8, interval
> 120<NULL>
> bacula-dir: btimers.c:187-0 Start bsock timer 8c02300 tid=b5f03b70 for 120
> secs at 1269452563
> bacula-dir: btimers.c:201-0 Stop bsock timer 8c02300 tid=b5f03b70 at
> 1269452563.
> bacula-dir: watchdog.c:213-0 Unregistered watchdog 8bdcce8
> bacula-dir: watchdog.c:193-0 Registered watchdog 8bdcce8, interval
> 120<NULL>
> bacula-dir: btimers.c:187-0 Start bsock timer 8c02300 tid=b5f03b70 for 120
> secs at 1269452563
> bacula-dir: btimers.c:201-0 Stop bsock timer 8c02300 tid=b5f03b70 at
> 1269452563.
> bacula-dir: watchdog.c:213-0 Unregistered watchdog 8bdcce8
> bacula-dir: job.c:1064-0 Start dird free_jcr
> bacula-dir: job.c:1035-0 Free JCR fname
> bacula-dir: job.c:1121-0 End dird free_jcr
> bacula-dir: message.c:460-0 Close_msg jcr=8bdb0f8
> bacula-dir: message.c:460-0 Close_msg jcr=0
> bacula-dir: message.c:472-0 ===Begin close msg resource at 8bc0de0
> bacula-dir: message.c:557-0 Done walking message chain.
> bacula-dir: message.c:562-0 ===End close msg resource
> bacula-dir: mem_pool.c:370-0 garbage collect memory pool
>
>
> bconsole:
>
> bconsole: parse_conf.c:881-0 Enter parse_config()
> bconsole: parse_conf.c:883-0 parse_config pass 1
> bconsole: lex.c:186-0 Open config file: /etc/bacula/bconsole.conf
> bconsole: lex.c:239-0 fget line=1 #
> bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
> bconsole: lex.c:239-0 fget line=2 # Bacula User Agent (or Console)
> Configuration File
> bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
> bconsole: lex.c:239-0 fget line=3 #
> bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
> bconsole: lex.c:239-0 fget line=4
> bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
> bconsole: lex.c:239-0 fget line=5 Director {
> bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:202-0 Item=name def=no defval=0
> bconsole: parse_conf.c:202-0 Item=description def=no defval=0
> bconsole: parse_conf.c:202-0 Item=dirport def=yes defval=9101
> bconsole: parse_conf.c:202-0 Item=address def=no defval=0
> bconsole: parse_conf.c:202-0 Item=password def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlsauthenticate def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlsenable def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlsrequire def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlscacertificatefile def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlscacertificatedir def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlscertificate def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlskey def=no defval=0
> bconsole: parse_conf.c:202-0 Item=heartbeatinterval def=yes defval=0
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_BOB
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_EOL
> bconsole: lex.c:239-0 fget line=6     Name                    = bacula-dir
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for name
> bconsole: lex.c:239-0 fget line=7     DIRport                 = 9101
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for dirport
> bconsole: lex.c:239-0 fget line=8     address                 =
> 192.168.99.55
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for address
> bconsole: lex.c:239-0 fget line=9     Password                = "secret"
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for password
> bconsole: lex.c:239-0 fget line=10     TLS Enable              = yes
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlsenable
> bconsole: lex.c:239-0 fget line=11     TLS Require             = yes
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlsrequire
> bconsole: lex.c:239-0 fget line=12     TLS CA Certificate File =
> /etc/bacula/certs/CA.pem
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlscacertificatefile
> bconsole: lex.c:239-0 fget line=13     TLS Certificate         =
> /etc/bacula/certs/bacula-dir-tls-client-cert.pem
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlscertificate
> bconsole: lex.c:239-0 fget line=14     TLS Key                 =
> /etc/bacula/certs/bacula-dir-tls-client-key.pem
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlskey
> bconsole: lex.c:239-0 fget line=15 }
> bconsole: parse_conf.c:905-0 parse state=1 pass=1 got token=T_EOB
> bconsole: parse_conf.c:979-0 T_EOB => define new resource
> bconsole: parse_conf.c:905-0 parse state=0 pass=1 got token=T_EOL
> bconsole: parse_conf.c:883-0 parse_config pass 2
> bconsole: lex.c:186-0 Open config file: /etc/bacula/bconsole.conf
> bconsole: lex.c:239-0 fget line=1 #
> bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
> bconsole: lex.c:239-0 fget line=2 # Bacula User Agent (or Console)
> Configuration File
> bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
> bconsole: lex.c:239-0 fget line=3 #
> bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
> bconsole: lex.c:239-0 fget line=4
> bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
> bconsole: lex.c:239-0 fget line=5 Director {
> bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:202-0 Item=name def=no defval=0
> bconsole: parse_conf.c:202-0 Item=description def=no defval=0
> bconsole: parse_conf.c:202-0 Item=dirport def=yes defval=9101
> bconsole: parse_conf.c:202-0 Item=address def=no defval=0
> bconsole: parse_conf.c:202-0 Item=password def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlsauthenticate def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlsenable def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlsrequire def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlscacertificatefile def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlscacertificatedir def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlscertificate def=no defval=0
> bconsole: parse_conf.c:202-0 Item=tlskey def=no defval=0
> bconsole: parse_conf.c:202-0 Item=heartbeatinterval def=yes defval=0
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_BOB
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_EOL
> bconsole: lex.c:239-0 fget line=6     Name                    = bacula-dir
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for name
> bconsole: lex.c:239-0 fget line=7     DIRport                 = 9101
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for dirport
> bconsole: lex.c:239-0 fget line=8     address                 =
> 192.168.99.55
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for address
> bconsole: lex.c:239-0 fget line=9     Password                = "secret"
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for password
> bconsole: lex.c:239-0 fget line=10     TLS Enable              = yes
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlsenable
> bconsole: lex.c:239-0 fget line=11     TLS Require             = yes
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlsrequire
> bconsole: lex.c:239-0 fget line=12     TLS CA Certificate File =
> /etc/bacula/certs/CA.pem
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlscacertificatefile
> bconsole: lex.c:239-0 fget line=13     TLS Certificate         =
> /etc/bacula/certs/bacula-dir-tls-client-cert.pem
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlscertificate
> bconsole: lex.c:239-0 fget line=14     TLS Key                 =
> /etc/bacula/certs/bacula-dir-tls-client-key.pem
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_IDENTIFIER
> bconsole: parse_conf.c:954-0 in T_IDENT got token=T_EQUALS
> bconsole: parse_conf.c:960-0 calling handler for tlskey
> bconsole: lex.c:239-0 fget line=15 }
> bconsole: parse_conf.c:905-0 parse state=1 pass=2 got token=T_EOB
> bconsole: parse_conf.c:979-0 T_EOB => define new resource
> bconsole: parse_conf.c:905-0 parse state=0 pass=2 got token=T_EOL
> No record for 1001 console
> Director: name=bacula-dir address=192.168.99.55 DIRport=9101
> bconsole: parse_conf.c:1013-0 Leave parse_config()
> bconsole: watchdog.c:78-0 Initialising NicB-hacked watchdog thread
> Connecting to Director 192.168.99.55:9101
> bconsole: watchdog.c:250-0 NicB-reworked watchdog thread entered
> bconsole: watchdog.c:193-0 Registered watchdog 907ec60, interval 15<NULL>
> bconsole: btimers.c:155-0 Start thread timer 907ec20 tid b71c96d0 for 15
> secs.
> bconsole: bsock.c:221-0 Current host[ipv4:192.168.99.55:9101] All
> host[ipv4:192.168.99.55:9101]
> bconsole: bsock.c:155-0 who=Director daemon host=192.168.99.55 port=9101
> bconsole: btimers.c:215-0 Stop thread timer 907ec20 tid=b71c96d0.
> bconsole: watchdog.c:213-0 Unregistered watchdog 907ec60
> bconsole: watchdog.c:193-0 Registered watchdog 907ec60, interval 300<NULL>
> bconsole: btimers.c:187-0 Start bsock timer 907ec20 tid=b71c96d0 for 300
> secs at 1269452563
> bconsole: cram-md5.c:133-0 cram-get received: auth cram-md5
> <1970824079.1269452...@bacula-dir> ssl=2
> bconsole: cram-md5.c:152-0 sending resp to challenge:
> hz/2wWs37EI/f6+LO9gDeA
> bconsole: cram-md5.c:80-0 send: auth cram-md5
> <1490485609.1269452...@bconsole> ssl=2
> bconsole: cram-md5.c:99-0 Authenticate OK sH0FRSMzF1+uG4Ab6CJIQD
> TLS negotiation failed
> bconsole: btimers.c:201-0 Stop bsock timer 907ec20 tid=b71c96d0 at
> 1269452563.
> bconsole: watchdog.c:213-0 Unregistered watchdog 907ec60
> Director authorization problem.
> Most likely the passwords do not agree.
> If you are using TLS, there may have been a certificate validation error
> during the TLS handshake.
> Please see
> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
>  for help.
> bconsole: watchdog.c:312-0 NicB-reworked watchdog thread exited
>
>
> I am using Bacula on an Ubuntu 9.10 but from Debian Lenny Backports because
> Ubuntu missies the latest release of Bacula. Version number is
> 5.0.1-1~bpo50+1. The bconsole and the director is on the same host.
>
> I generated the certificates by EJBCA. I generated a server certificate for
> the director and a client certificate for the bconsole. I also tried to
> generate certificates "by hand" with openssl. Got the same error. I tried to
> connect to the director by another bconsole from another host. Got the same
> error. I tried to use different CNs in the certificates: simple name, FQDN,
> IP address. Got the same error.
>
> Do you have any idea what's wrong? It's interesting that the TLS-connection
> is OK on the server side, only the bconsole has problems with it....
>
> Any help appreciated.
>
> thanks,
> Zsolt
>

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Bacula-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS problem

Reply via email to