Certificate validation error with Bareos and TLS

Question

I have Bareos 17.2.4-9 installed on Debian Jessie. It was built from the source using the --with-openssl switch.

It works perfectly WITHOUT TLS enabled, however when I try to configure it to use TLS, I get ...

# bconsole
Connecting to Director Server-Name:9101
Authorization problem with Director at "Server-Name:9101"
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.

I suspect it's because of a validation problem between the SELF-SIGNED certificate and the server name. The server domain name is NOT set.

I created the certificate as follows ...

# hostname
Server-Name
# domainname
(none)
# openssl req -new -x509 -nodes -out Server-Name.pem -keyout Server-Name.pem -days 3650
# chmod 600 Server-Name.pem
Generating a 2048 bit RSA private key
..+++
............................+++
writing new private key to 'Server-Name.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:NI
Locality Name (eg, city) []:Leer
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GNM
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Server-Name
Email Address []:First.Last@redacted.de

The config files are...

/etc/bareos/bareos-dir.d/director/bareos-dir.conf

Director {                            # define myself
  Name = bareos-dir
  QueryFile = "/usr/lib/bareos/scripts/query.sql"
  Maximum Concurrent Jobs = 10
  Password = "secret"         # Console password
  Messages = Daemon
  Auditing = yes
  DirAddress = Server-Name
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bareos/TLS/Bareos-Server-Name.pem
  TLS Certificate = /etc/bareos/TLS/Bareos-Server-Name.pem
  TLS Key = /etc/bareos/TLS/Bareos-Server-Name.pem
#  TLS Verify Peer = yes
  TLS Allowed CN = Server-Name
}

/etc/bareos/bconsole.conf

Director {
  Name = bareos-dir
#  address = localhost
  address = Server-Name
  Password = "secret"
  Description = "Bareos Console credentials for local Director"
}

I'm getting this intermittently on 18.2 as well. Sometimes it works, sometimes it doesn't. Same config. I'm thinking it might be an SSL library versioning issue. — tudor -Reinstate Monica-, Feb 11 '19 at 00:59

score 2 · Accepted Answer · edited Aug 21 '19 at 10:28

NB: As of Bareos version 18.2, TLS is enabled by default, but the server is backwardly compatible with older clients.

Please try these things:

Change the client address on the server (in bareos-dir.d/client/*.conf) from a name to an IP. If that works, then it means that your DNS lookup is failing and BareOS can't verify it's talking to the right machine.
If you have multiple interfaces, add the following to client/myself.conf (or wherever your client config is stored on the file daemon):

FD Address = IP-Address
FD Source Address = IP-Address

This dictates the outgoing interface to use and reduces routing errors (useful on cloud hosts). See here for more information about these.

If you're using an unusual or custom OS, you may have to supply the location of the TLS Certificate or TLS CA Certificate Dir, too. TLS Verify Peer will also help to determine if the peer verification is failing also.

Debugging - to verify the SSL connection

From each end (backup server to client and client to backup server), try:

openssl s_client -connect [client-fqdn]:9102 -state -nbio

and

openssl s_client -connect [client-ip]:9102 -state -nbio

Bonus Answer

Every connection is now TLS-enabled, so a TLS Auth failure isn't necessarily between Director (Server) and FileDaemon (Client). Any TLS failure is (mis)reported as such, however. So an error like:

Fatal error: Connect failure: ERR=error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
Error: TLS shutdown failure.: ERR=error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fatal error: TLS negotiation failed

...could be a TLS Auth failure between the Director and the StorageDaemon, for example.

Check every link!

score 0 · Answer 2 · answered Oct 04 '18 at 20:59

0

Try removing the quotes from the password in bareos-dir.conf and restart.

answered Oct 04 '18 at 20:59

dampi0

31
5

2

Bareos can handle quotes. They are even required e.g. when the password contains spaces. http://doc.bareos.org/master/html/bareos-manual-main-reference.html#x1-1230008.3.3 – Sven Oct 04 '18 at 21:33
1

Well, ok then, did you even bother to test it? I have encountered similar issue here, and that is how they fixed it - https://stackoverflow.com/questions/40061518/bacula-bconsole-director-authorization-fail-localhost – dampi0 Oct 05 '18 at 04:49
1

@dampi0 So, I have seen this solution before - and I can try it. But since Bareos works fine with the TLS lines removed (but with quotes around the password) I assume it has to do with the certificate and not the passwords. Thanks for the input though. – BurningKrome Oct 05 '18 at 07:28

Certificate validation error with Bareos and TLS

2 Answers2