Ssl

Bareos 和 TLS 的證書驗證錯誤

  • August 21, 2019

我在 Debian Jessie 上安裝了 Bareos 17.2.4-9。它是使用--with-openssl開關從原始碼建構的。

在沒有啟用 TLS 的情況下完美執行,但是當我嘗試將其配置為使用 TLS 時,我得到…

# bconsole
Connecting to Director Server-Name:9101
Authorization problem with Director at "Server-Name:9101"
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during the TLS handshake.
Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.

我懷疑這是因為自簽名證書和伺服器名稱之間的驗證問題。伺服器域名未設置。

我創建的證書如下…

# hostname
Server-Name
# domainname
(none)
# openssl req -new -x509 -nodes -out Server-Name.pem -keyout Server-Name.pem -days 3650
# chmod 600 Server-Name.pem
Generating a 2048 bit RSA private key
..+++
............................+++
writing new private key to 'Server-Name.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:NI
Locality Name (eg, city) []:Leer
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GNM
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Server-Name
Email Address []:First.Last@redacted.de

配置文件是…

/etc/bareos/bareos-dir.d/director/bareos-dir.conf

Director {                            # define myself
 Name = bareos-dir
 QueryFile = "/usr/lib/bareos/scripts/query.sql"
 Maximum Concurrent Jobs = 10
 Password = "secret"         # Console password
 Messages = Daemon
 Auditing = yes
 DirAddress = Server-Name
 TLS Enable = yes
 TLS Require = yes
 TLS CA Certificate File = /etc/bareos/TLS/Bareos-Server-Name.pem
 TLS Certificate = /etc/bareos/TLS/Bareos-Server-Name.pem
 TLS Key = /etc/bareos/TLS/Bareos-Server-Name.pem
#  TLS Verify Peer = yes
 TLS Allowed CN = Server-Name
}

/etc/bareos/bconsole.conf

Director {
 Name = bareos-dir
#  address = localhost
 address = Server-Name
 Password = "secret"
 Description = "Bareos Console credentials for local Director"
}

**注意:**從 Bareos 版本 18.2 開始,TLS預設啟用,但伺服器向後兼容舊客戶端。

請嘗試以下方法:

  1. 將伺服器上的客戶端地址 (in bareos-dir.d/client/*.conf) 從名稱更改為 IP。如果這有效,則意​​味著您的 DNS 查找失敗,並且 BareOS 無法驗證它是否正在與正確的機器通信。
  2. 如果您有多個介面,請將以下內容添加到client/myself.conf(或您的客戶端配置儲存在文件守護程序中的任何位置):
FD Address = IP-Address
FD Source Address = IP-Address

這決定了要使用的傳出介面並減少路由錯誤(在雲主機上很有用)。有關這些的更多資訊,請參見此處

  1. 如果您使用的是不尋常的或自定義的作業系統,您可能還必須提供TLS 證書TLS CA 證書目錄的位置。 TLS 驗證對等也將有助於確定對等驗證是否也失敗。

調試 - 驗證 SSL 連接

從每一端(備份伺服器到客戶端和客戶端到備份伺服器),嘗試:

openssl s_client -connect [client-fqdn]:9102 -state -nbio

openssl s_client -connect [client-ip]:9102 -state -nbio

獎勵答案

現在每個連接都啟用了 TLS,因此在 Director(伺服器)和 FileDaemon(客戶端)之間不一定會發生 TLS Auth 失敗。 但是,任何TLS 故障都會(錯誤地)這樣報告。所以像這樣的錯誤:

Fatal error: Connect failure: ERR=error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
Error: TLS shutdown failure.: ERR=error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fatal error: TLS negotiation failed

…例如,可能是 Director 和 StorageDaemon 之間的 TLS Auth 失敗。

檢查每個連結!

引用自:https://serverfault.com/questions/934019