使用Bareos和TLS的证书验证错误

Question

我在Debian Jessie上安装了Bareos 17.2.4-9。它是使用--with-openssl开关从源代码构建的。

它在没有启用TLS的情况下工作得很好，但是当我试图将它配置为使用TLS时，我得到.

# bconsole
Connecting to Director Server-Name:9101
Authorization problem with Director at "Server-Name:9101"
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.

我怀疑这是因为自签名证书和服务器名称之间存在验证问题。未设置服务器域名。

我创建的证书如下..。

# hostname
Server-Name
# domainname
(none)
# openssl req -new -x509 -nodes -out Server-Name.pem -keyout Server-Name.pem -days 3650
# chmod 600 Server-Name.pem
Generating a 2048 bit RSA private key
..+++
............................+++
writing new private key to 'Server-Name.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:NI
Locality Name (eg, city) []:Leer
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GNM
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Server-Name
Email Address []:First.Last@redacted.de

配置文件是。

/etc/bareos/bareos-dir.d/director/bareos-dir.conf

Director {                            # define myself
  Name = bareos-dir
  QueryFile = "/usr/lib/bareos/scripts/query.sql"
  Maximum Concurrent Jobs = 10
  Password = "secret"         # Console password
  Messages = Daemon
  Auditing = yes
  DirAddress = Server-Name
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bareos/TLS/Bareos-Server-Name.pem
  TLS Certificate = /etc/bareos/TLS/Bareos-Server-Name.pem
  TLS Key = /etc/bareos/TLS/Bareos-Server-Name.pem
#  TLS Verify Peer = yes
  TLS Allowed CN = Server-Name
}

/etc/bareos/bconsole.conf

Director {
  Name = bareos-dir
#  address = localhost
  address = Server-Name
  Password = "secret"
  Description = "Bareos Console credentials for local Director"
}

Answer 1

注:巴罗斯18.2版，已启用未定义，但服务器与旧客户端反向兼容.

请试试看：

1. 将服务器上的客户端地址(在bareos-dir.d/client/*.conf中)从名称更改为IP。如果这样做有效，那就意味着您的DNS查找失败了，而且BareOS无法验证它正在与正确的机器对话。
2. 如果您有多个接口，那么将以下内容添加到client/myself.conf (或者您的客户端配置存储在文件守护进程中的地方)：

FD Address = IP-Address
FD Source Address = IP-Address

这指示要使用的传出接口并减少路由错误(在云主机上有用)。有关这些信息的更多信息，请参见这里。

1. 如果您使用的是不寻常的或自定义的操作系统，您可能也必须提供TLS证书或TLS CA证书Dir的位置。TLS验证点还将帮助确定对等验证是否也失败。

调试--验证SSL连接

从两端(备份服务器到客户端，客户端到备份服务器)，尝试：

openssl s_client -connect [client-fqdn]:9102 -state -nbio

和

openssl s_client -connect [client-ip]:9102 -state -nbio

奖金答案

现在每个连接都启用了TLS，因此TLS故障不一定发生在Director (服务器)和FileDaemon (客户端)之间。然而，任何TLS故障都是这样报告的。所以出现了一个错误，比如：

Fatal error: Connect failure: ERR=error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
Error: TLS shutdown failure.: ERR=error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fatal error: TLS negotiation failed

例如，...could是主任和StorageDaemon之间的TLS 8月故障。

检查每个链接！

Answer 2

尝试删除口令中的引号，然后重新启动。