Ssl
Bareos 和 TLS 的證書驗證錯誤
我在 Debian Jessie 上安裝了 Bareos 17.2.4-9。它是使用
--with-openssl
開關從原始碼建構的。它在沒有啟用 TLS 的情況下完美執行,但是當我嘗試將其配置為使用 TLS 時,我得到…
# bconsole Connecting to Director Server-Name:9101 Authorization problem with Director at "Server-Name:9101" Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.
我懷疑這是因為自簽名證書和伺服器名稱之間的驗證問題。伺服器域名未設置。
我創建的證書如下…
# hostname Server-Name # domainname (none) # openssl req -new -x509 -nodes -out Server-Name.pem -keyout Server-Name.pem -days 3650 # chmod 600 Server-Name.pem Generating a 2048 bit RSA private key ..+++ ............................+++ writing new private key to 'Server-Name.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:NI Locality Name (eg, city) []:Leer Organization Name (eg, company) [Internet Widgits Pty Ltd]:GNM Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:Server-Name Email Address []:First.Last@redacted.de
配置文件是…
/etc/bareos/bareos-dir.d/director/bareos-dir.conf
Director { # define myself Name = bareos-dir QueryFile = "/usr/lib/bareos/scripts/query.sql" Maximum Concurrent Jobs = 10 Password = "secret" # Console password Messages = Daemon Auditing = yes DirAddress = Server-Name TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bareos/TLS/Bareos-Server-Name.pem TLS Certificate = /etc/bareos/TLS/Bareos-Server-Name.pem TLS Key = /etc/bareos/TLS/Bareos-Server-Name.pem # TLS Verify Peer = yes TLS Allowed CN = Server-Name }
/etc/bareos/bconsole.conf
Director { Name = bareos-dir # address = localhost address = Server-Name Password = "secret" Description = "Bareos Console credentials for local Director" }
**注意:**從 Bareos 版本 18.2 開始,TLS預設啟用,但伺服器向後兼容舊客戶端。
請嘗試以下方法:
- 將伺服器上的客戶端地址 (in
bareos-dir.d/client/*.conf
) 從名稱更改為 IP。如果這有效,則意味著您的 DNS 查找失敗,並且 BareOS 無法驗證它是否正在與正確的機器通信。- 如果您有多個介面,請將以下內容添加到
client/myself.conf
(或您的客戶端配置儲存在文件守護程序中的任何位置):FD Address = IP-Address FD Source Address = IP-Address
這決定了要使用的傳出介面並減少路由錯誤(在雲主機上很有用)。有關這些的更多資訊,請參見此處。
- 如果您使用的是不尋常的或自定義的作業系統,您可能還必須提供TLS 證書或TLS CA 證書目錄的位置。 TLS 驗證對等也將有助於確定對等驗證是否也失敗。
調試 - 驗證 SSL 連接
從每一端(備份伺服器到客戶端和客戶端到備份伺服器),嘗試:
openssl s_client -connect [client-fqdn]:9102 -state -nbio
和
openssl s_client -connect [client-ip]:9102 -state -nbio
獎勵答案
現在每個連接都啟用了 TLS,因此在 Director(伺服器)和 FileDaemon(客戶端)之間不一定會發生 TLS Auth 失敗。 但是,任何TLS 故障都會(錯誤地)這樣報告。所以像這樣的錯誤:
Fatal error: Connect failure: ERR=error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac Error: TLS shutdown failure.: ERR=error:140E0197:SSL routines:SSL_shutdown:shutdown while in init Fatal error: TLS negotiation failed
…例如,可能是 Director 和 StorageDaemon 之間的 TLS Auth 失敗。
檢查每個連結!