Windows backups with Certificates
84 views
Skip to first unread message
Jon Schewe
Oct 11, 2024, 3:51:47 PM10/11/24
to bareos-users
I understand that bareos does TLS-PSK without specifying certificates. However I'd like to use certificates to do some extra checking on the clients. I have this working with a Linux server and a Linux client. I'm now trying to setup a Windows client. I have version 23.0.5 on Windows and 23.0.5 on RHEL Linux. The director can connect to the client without any problems. However when I run a job I get an error when the client connects to the storage daemon about "bad psk". Disabling the TLS Certificate parameters allows backups to run without error.
On Windows I have the following in client/myself.conf and director/bareos-dir.conf
TLS Certificate = "c:/ProgramData/Bareos/rds-01.crt"
TLS Key = "c:/ProgramData/Bareos/rds-01.key"
TLS CA Certificate File = "c:/ProgramData/Bareos/bareos-ca.pem"
TLS Key = "c:/ProgramData/Bareos/rds-01.key"
TLS CA Certificate File = "c:/ProgramData/Bareos/bareos-ca.pem"
On the server side I have the following in bareos-dir.d/client/rds-01.conf, bareos-dir.d/storage/Tape.conf, bareos-sd.d/storage/bareos-sd.conf
TLS Certificate = /etc/bareos/bareos.crt
TLS Key = /etc/bareos/bareos.key
TLS CA Certificate File = /etc/bareos/bareos-ca.pem
TLS Key = /etc/bareos/bareos.key
TLS CA Certificate File = /etc/bareos/bareos-ca.pem
I have the following in bareos-dir.d/director/bareos-dir.conf, bareos-sd.d/director/bareos-dir.conf
TLS Certificate = /etc/bareos/bareos.crt
TLS Key = /etc/bareos/bareos.key
TLS CA Certificate File = /etc/bareos/bareos-ca.pem
TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bareos/bareos.key
TLS CA Certificate File = /etc/bareos/bareos-ca.pem
TLS Require = yes
TLS Verify Peer = yes
On windows when I run bareos-fd.exe with debugging I see the following:
bareos-fd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new configuration_resources_ 2769e79b3d0
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <21927.1728674064@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 2AZo79Y5OB/qx4/qj2MjxB
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <24081.1728674068@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: Y/lKr7+Muz/3ekdSF6Q2RC
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <6996.1728674073@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: y6+6I8/kb7xt39hd2i/bFA
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <2346.1728674082@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: K8+Lh/0KC/+lF6ElMD+WdD
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <27755.1728674089@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: Hn+5rFN39QxyB9/287/hgC
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <19183.1728674154@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: /Gx7tkFGgTxrSkY6BR/VpD
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (5): filed/dir_cmd.cc:1433-100 set sd auth key
rds-01-fd (5): filed/dir_cmd.cc:1436-100 set sd ssl_policy to 4
rds-01-fd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
rds-01-fd (10): filed/dir_cmd.cc:1271-100 LevelCmd: level = full mtime_only=0
...
rds-01-fd (50): lib/tls_openssl.cc:63-100 Preparing TLS_PSK CLIENT context for identity R_JOB backup-rds-01-fd.2024-10-11_15.15.52_48
rds-01-fd (50): lib/crypto_openssl.cc:1593-100 jcr=276a10593e0 Connect failure: ERR=error:0A0000DB:SSL routines::bad psk
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error value 1
rds-01-fd (50): lib/bsock.cc:672-100 TLS negotiation failed
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error value 1
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (10): filed/socket_server.cc:122-0 filed: listening on port 9102
rds-01-fd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <21927.1728674064@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: 2AZo79Y5OB/qx4/qj2MjxB
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <24081.1728674068@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: Y/lKr7+Muz/3ekdSF6Q2RC
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <6996.1728674073@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: y6+6I8/kb7xt39hd2i/bFA
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <2346.1728674082@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: K8+Lh/0KC/+lF6ElMD+WdD
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <27755.1728674089@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: Hn+5rFN39QxyB9/287/hgC
...
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <19183.1728674154@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (99): lib/cram_md5.cc:232-0 sending resp to challenge: /Gx7tkFGgTxrSkY6BR/VpD
rds-01-fd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
rds-01-fd (5): filed/dir_cmd.cc:1433-100 set sd auth key
rds-01-fd (5): filed/dir_cmd.cc:1436-100 set sd ssl_policy to 4
rds-01-fd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
rds-01-fd (10): filed/dir_cmd.cc:1271-100 LevelCmd: level = full mtime_only=0
...
rds-01-fd (50): lib/tls_openssl.cc:63-100 Preparing TLS_PSK CLIENT context for identity R_JOB backup-rds-01-fd.2024-10-11_15.15.52_48
rds-01-fd (50): lib/crypto_openssl.cc:1593-100 jcr=276a10593e0 Connect failure: ERR=error:0A0000DB:SSL routines::bad psk
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error value 1
rds-01-fd (50): lib/bsock.cc:672-100 TLS negotiation failed
rds-01-fd (50): lib/tls_openssl.cc:306-100 SSL_get_error() returned error value 1
On the Linux bareos console with I see the following:
11-Oct 15:15 bareos-dir JobId 100: No prior Full backup Job record found.
11-Oct 15:15 bareos-dir JobId 100: No prior or suitable Full backup found in catalog. Doing FULL backup.
11-Oct 15:15 bareos-dir JobId 100: Start Backup JobId 100, Job=backup-rds-01-fd.2024-10-11_15.15.52_48
11-Oct 15:15 bareos-dir JobId 100: Connected Storage daemon at bareos:9103, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Probing client protocol... (result will be saved until config reload)
11-Oct 15:15 bareos-dir JobId 100: Connected Client: rds-01-fd at rds-01:9102, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Handshake: Immediate TLS
11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Using Device "Drive-LTO-0" to write.
11-Oct 15:15 rds-01-fd JobId 100: Created 20 wildcard excludes from FilesNotToBackup Registry key
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: Connect failure: ERR=error:0A0000DB:SSL routines::bad psk
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: TLS negotiation failed
11-Oct 15:15 bareos-dir JobId 100: Fatal error: Bad response to Storage command: wanted 2000 OK storage, got 2902 Bad storage
11-Oct 15:15 bareos-dir JobId 100: No prior or suitable Full backup found in catalog. Doing FULL backup.
11-Oct 15:15 bareos-dir JobId 100: Start Backup JobId 100, Job=backup-rds-01-fd.2024-10-11_15.15.52_48
11-Oct 15:15 bareos-dir JobId 100: Connected Storage daemon at bareos:9103, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Probing client protocol... (result will be saved until config reload)
11-Oct 15:15 bareos-dir JobId 100: Connected Client: rds-01-fd at rds-01:9102, encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Handshake: Immediate TLS
11-Oct 15:15 bareos-dir JobId 100: Encryption: TLS_AES_256_GCM_SHA384 TLSv1.3
11-Oct 15:15 bareos-dir JobId 100: Using Device "Drive-LTO-0" to write.
11-Oct 15:15 rds-01-fd JobId 100: Created 20 wildcard excludes from FilesNotToBackup Registry key
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: Connect failure: ERR=error:0A0000DB:SSL routines::bad psk
11-Oct 15:15 rds-01-fd JobId 100: Fatal error: TLS negotiation failed
11-Oct 15:15 bareos-dir JobId 100: Fatal error: Bad response to Storage command: wanted 2000 OK storage, got 2902 Bad storage
bareos-sd with debugging shows the following:
bareos-sd (10): lib/parse_conf.h:442-0 ConfigResourcesContainer: new configuration_resources_ 562253174dc0
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library /usr/lib64/bareos/backends/libbareossd-tape.so
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library /usr/lib64/bareos/backends/libbareossd-file.so
bareos-sd (8): lib/crypto_cache.cc:53-0 Could not open crypto cache file. /var/lib/bareos/bareos-sd.9103.cryptoc ERR=No such file or directory
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port 9103
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port 9103
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice /dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done /dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (10): stored/device.cc:283-0 FATAL ERROR: dev open failed: backends/generic_tape_device.cc:127 Unable to open device "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst): ERR=No medium found
bareos-sd (20): stored/stored.cc:538-0 Could not open device "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice /dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done /dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice "Drive-LTO-0" (/dev/tape/by-id/scsi-35000e111ca01f0b5-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice /var/lib/bareos/storage
bareos-sd (10): stored/stored.cc:516-0 SD init done /var/lib/bareos/storage
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <9232935.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: bFgr/xtff19rA49KbxB7lC
bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): stored/job.cc:155-100 Quota set as 0
bareos-sd (50): stored/job.cc:166-100 >dird jid=100: 3000 OK Job SDid=1 SDtime=1728674014 Authorization=FKDE-OCNI-JIKJ-ECBG-ICKM-BEHO-CEDL-LFPM
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): stored/askdir.cc:185-100 >dird CatReq Job=backup-rds-01-fd.2024-10-11_15.15.52_48 GetVolInfo VolName=003001 write=1
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): stored/askdir.cc:116-100 <dird 1000 OK VolName=003001 VolJobs=18 VolFiles=17 VolBlocks=1690 VolBytes=1758381056 VolMounts=4 VolErrors=0 VolWrites=1691 MaxVolBytes=0 VolCapacityBytes=0 VolStatus=Append Slot=3 MaxVolJobs=0 MaxVolFiles=0 InChanger=1 VolReadTime=8974500 VolWriteTime=26606656 EndFile=16 EndBlock=0 LabelType=0 MediaId=3 EncryptionKey= MinBlocksize=0 MaxBlocksize=0
bareos-sd (50): stored/askdir.cc:146-100 DoGetVolumeInfo return true slot=3 Volume=003001, VolminBlocksize=0 VolMaxBlocksize=0
bareos-sd (50): stored/askdir.cc:150-100 setting dcr->VolMinBlocksize(0) to vol.VolMinBlocksize(0)
bareos-sd (50): stored/askdir.cc:153-100 setting dcr->VolMaxBlocksize(0) to vol.VolMaxBlocksize(0)
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 1
bareos-sd (50): lib/crypto_openssl.cc:1593-0 jcr=0 Connect failure: ERR=error:0A000438:SSL routines::tlsv1 alert internal error
bareos-sd (50): lib/tls_openssl.cc:306-0 SSL_get_error() returned error value 1
bareos-sd (50): lib/bsock.cc:645-0 TLS negotiation failed.
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <1060401765.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: f6FLIDJK68/JL//0n1R98C
bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (10): lib/jcr.cc:442-0 Warning, can't send kill to jid=100
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 6
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library /usr/lib64/bareos/backends/libbareossd-tape.so
bareos-sd (50): stored/sd_backends_dynamic.cc:46-0 Loaded dynamic library /usr/lib64/bareos/backends/libbareossd-file.so
bareos-sd (8): lib/crypto_cache.cc:53-0 Could not open crypto cache file. /var/lib/bareos/bareos-sd.9103.cryptoc ERR=No such file or directory
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port 9103
bareos-sd (10): stored/socket_server.cc:136-0 stored: listening on port 9103
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice /dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done /dev/tape/by-id/scsi-35000e111ca01f0bf-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (10): stored/device.cc:283-0 FATAL ERROR: dev open failed: backends/generic_tape_device.cc:127 Unable to open device "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst): ERR=No medium found
bareos-sd (20): stored/stored.cc:538-0 Could not open device "Drive-LTO-1" (/dev/tape/by-id/scsi-35000e111ca01f0bf-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice /dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (10): stored/stored.cc:516-0 SD init done /dev/tape/by-id/scsi-35000e111ca01f0b5-nst
bareos-sd (20): stored/stored.cc:534-0 calling FirstOpenDevice "Drive-LTO-0" (/dev/tape/by-id/scsi-35000e111ca01f0b5-nst)
bareos-sd (90): stored/stored.cc:513-0 calling FactoryCreateDevice /var/lib/bareos/storage
bareos-sd (10): stored/stored.cc:516-0 SD init done /var/lib/bareos/storage
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <9232935.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: bFgr/xtff19rA49KbxB7lC
bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): stored/job.cc:155-100 Quota set as 0
bareos-sd (50): stored/job.cc:166-100 >dird jid=100: 3000 OK Job SDid=1 SDtime=1728674014 Authorization=FKDE-OCNI-JIKJ-ECBG-ICKM-BEHO-CEDL-LFPM
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): stored/askdir.cc:185-100 >dird CatReq Job=backup-rds-01-fd.2024-10-11_15.15.52_48 GetVolInfo VolName=003001 write=1
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): stored/askdir.cc:116-100 <dird 1000 OK VolName=003001 VolJobs=18 VolFiles=17 VolBlocks=1690 VolBytes=1758381056 VolMounts=4 VolErrors=0 VolWrites=1691 MaxVolBytes=0 VolCapacityBytes=0 VolStatus=Append Slot=3 MaxVolJobs=0 MaxVolFiles=0 InChanger=1 VolReadTime=8974500 VolWriteTime=26606656 EndFile=16 EndBlock=0 LabelType=0 MediaId=3 EncryptionKey= MinBlocksize=0 MaxBlocksize=0
bareos-sd (50): stored/askdir.cc:146-100 DoGetVolumeInfo return true slot=3 Volume=003001, VolminBlocksize=0 VolMaxBlocksize=0
bareos-sd (50): stored/askdir.cc:150-100 setting dcr->VolMinBlocksize(0) to vol.VolMinBlocksize(0)
bareos-sd (50): stored/askdir.cc:153-100 setting dcr->VolMaxBlocksize(0) to vol.VolMaxBlocksize(0)
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 1
bareos-sd (50): lib/crypto_openssl.cc:1593-0 jcr=0 Connect failure: ERR=error:0A000438:SSL routines::tlsv1 alert internal error
bareos-sd (50): lib/tls_openssl.cc:306-0 SSL_get_error() returned error value 1
bareos-sd (50): lib/bsock.cc:645-0 TLS negotiation failed.
bareos-sd (50): lib/tls_openssl_private.cc:402-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/bnet.cc:143-0 TLS server negotiation established.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <1060401765.1728674154@R_STORAGE::bareos-sd> ssl=2
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/cram_md5.cc:61-0 my_name: <R_STORAGE::bareos-sd> - challenge_name: <R_DIRECTOR::bareos-dir>
bareos-sd (99): lib/cram_md5.cc:232-0 sending resp to challenge: f6FLIDJK68/JL//0n1R98C
bareos-sd (90): stored/dir_cmd.cc:276-0 Message channel init completed.
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (10): lib/jcr.cc:442-0 Warning, can't send kill to jid=100
bareos-sd (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 2
bareos-sd (50): lib/tls_openssl_private.cc:325-100 SSL_get_error() returned error value 6
I see that bareos on Windows ships with openssl 3.1.4. My Linux host has openssl 3.0.7.
I notice a lot of "returned error value 2" messages on the windows client, those messages continually show up every couple of seconds. I also see some of these from bareos-sd. Is this something that is likely related to this? Or is this something else?
Any ideas what is the error about "bad psk"?
What other information can I provide that would help debug this issue?
Thank you,
Jon
Sebastian Sura
Oct 14, 2024, 2:09:38 AM10/14/24
to bareos...@googlegroups.com
Hello Jon,
You can safely ignore "SSL_get_error() returned error value 2". '2' in this case means 'SSL_ERROR_WANT_READ', which is just openssl telling us that we need to read from the socket again.
Could you check what happens when you use client initiated
connections for the client <> dir connection ? See here on
how to set it up:
https://docs.bareos.org/TasksAndConcepts/NetworkSetup.html#client-initiated-connection
I am curious on whether the client can connect to the director
this way. You can check if the connection succeeded if you find
the client debug output looks something like so (here the debug
level is 50):
```
restore-fd (10): filed/socket_server.cc:122-0 filed: listening on
port 30632
restore-fd (10): filed/socket_server.cc:122-0 filed: listening on
port 30632
restore-fd (50): lib/tls_openssl.cc:63-0 Preparing TLS_PSK CLIENT
context for identity R_CLIENT restore-fd
restore-fd (50): lib/tls_openssl_private.cc:406-0 SSL_get_error()
returned error value 2
restore-fd (50): lib/bnet.cc:195-0 TLS client negotiation
established.
restore-fd (10): filed/dir_cmd.cc:2092-0 Opened connection with
Director bareos-dir
restore-fd (50): lib/cram_md5.cc:61-0 my_name:
<R_CLIENT::restore-fd> - challenge_name:
<R_DIRECTOR::bareos-dir>
restore-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5
<479071473.1728885862@R_CLIENT::restore-fd> ssl=2
restore-fd (50): lib/cram_md5.cc:135-0 Authenticate OK
mw+Lt7BEn2k3Ii+jgwI5qC
```
Otherwise you can also use `status director` to check if there are any open client initiated connections:
```
*status dir
[...]
Client Initiated Connections (waiting for jobs):
Connect time Protocol Authenticated
Name
====================================================================================================
14-Oct-24 08:07 54 1
restore-fd
====
```
Kind Regards
Sebastian Sura
Am 11.10.24 um 21:51 schrieb Jon
Schewe:
--
You received this message because you are subscribed to the Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/503a4c72-a737-4bc0-994b-d91cf5a1f7fen%40googlegroups.com.
-- Sebastian Sura sebasti...@bareos.com Bareos GmbH & Co. KG Phone: +49 221 630693-0 https://www.bareos.com Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646 Komplementär: Bareos Verwaltungs-GmbH Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz
Message has been deleted
Jon Schewe
Oct 15, 2024, 3:19:11 AM10/15/24
to bareos-users
I
made the changes to do a client initiated connection in addition to
allowing the director to contact the client. When I told the director to
start a backup I immediately got the messages below on the client
(debug level 50).
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <23510.1728917201@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (5): filed/dir_cmd.cc:1433-104 set sd auth key
rds-01-fd (5): filed/dir_cmd.cc:1436-104 set sd ssl_policy to 4
rds-01-fd (10): filed/dir_cmd.cc:1271-104 LevelCmd: level = full mtime_only=0
rds-01-fd
(50): lib/tls_openssl.cc:63-104 Preparing TLS_PSK CLIENT context for
identity R_JOB backup-rds-01-fd.2024-10-14_10.46.39_57
rds-01-fd (50): lib/tls_openssl_private.cc:402-104 SSL_get_error() returned error value 1
rds-01-fd (50): lib/crypto_openssl.cc:1593-104 jcr=280a8ea4710 Connect failure: ERR=error:0A0000DB:SSL routines::bad psk
rds-01-fd (50): lib/tls_openssl.cc:306-104 SSL_get_error() returned error value 1
rds-01-fd (50): lib/bsock.cc:672-104 TLS negotiation failed
I spent some more time on this experimenting with TLS versions and if I add the following to both the Director and Client resources on the WIndows bareos-fd, everything works.
TLS Protocol = "-TLSv1,-TLSv1.1,-TLSv1.3,TLSv1.2"
Jon Schewe
Oct 15, 2024, 3:19:11 AM10/15/24
to Sebastian Sura, bareos...@googlegroups.com
Note that I'm using certificates, so I'm not sure why there is a PSK (pre-shared key) being used.
On Mon, Oct 14, 2024 at 9:51 AM Jon Schewe <jon.schew...@gmail.com> wrote:
Sebastian,
I made the changes to do a client initiated connection in addition to allowing the director to contact the client. When I told the director to start a backup I immediately got the messages below on the client (debug level 50).
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <23510.1728917201@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (5): filed/dir_cmd.cc:1433-104 set sd auth keyrds-01-fd (5): filed/dir_cmd.cc:1436-104 set sd ssl_policy to 4rds-01-fd (10): filed/dir_cmd.cc:1271-104 LevelCmd: level = full mtime_only=0rds-01-fd (50): lib/tls_openssl.cc:63-104 Preparing TLS_PSK CLIENT context for identity R_JOB backup-rds-01-fd.2024-10-14_10.46.39_57
rds-01-fd (50): lib/tls_openssl_private.cc:402-104 SSL_get_error() returned error value 1rds-01-fd (50): lib/crypto_openssl.cc:1593-104 jcr=280a8ea4710 Connect failure: ERR=error:0A0000DB:SSL routines::bad pskrds-01-fd (50): lib/tls_openssl.cc:306-104 SSL_get_error() returned error value 1rds-01-fd (50): lib/bsock.cc:672-104 TLS negotiation failed
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/285f0aee-3fc9-4f72-ba1a-109a9c15cf5f%40bareos.com.
Jon Schewe
Oct 15, 2024, 3:19:11 AM10/15/24
to Sebastian Sura, bareos...@googlegroups.com
Sebastian,
I
made the changes to do a client initiated connection in addition to
allowing the director to contact the client. When I told the director to
start a backup I immediately got the messages below on the client
(debug level 50).
rds-01-fd (50): lib/bnet.cc:143-0 TLS server negotiation established.
rds-01-fd (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <23510.1728917201@R_CLIENT::rds-01-fd> ssl=2
rds-01-fd (50): lib/cram_md5.cc:61-0 my_name: <R_CLIENT::rds-01-fd> - challenge_name: <R_DIRECTOR::bareos-dir>
rds-01-fd (5): filed/dir_cmd.cc:1433-104 set sd auth key
rds-01-fd (5): filed/dir_cmd.cc:1436-104 set sd ssl_policy to 4
rds-01-fd (10): filed/dir_cmd.cc:1271-104 LevelCmd: level = full mtime_only=0
rds-01-fd
(50): lib/tls_openssl.cc:63-104 Preparing TLS_PSK CLIENT context for
identity R_JOB backup-rds-01-fd.2024-10-14_10.46.39_57
rds-01-fd (50): lib/tls_openssl_private.cc:402-104 SSL_get_error() returned error value 1
rds-01-fd (50): lib/crypto_openssl.cc:1593-104 jcr=280a8ea4710 Connect failure: ERR=error:0A0000DB:SSL routines::bad psk
rds-01-fd (50): lib/tls_openssl.cc:306-104 SSL_get_error() returned error value 1
rds-01-fd (50): lib/bsock.cc:672-104 TLS negotiation failed
On Mon, Oct 14, 2024 at 1:09 AM Sebastian Sura <sebasti...@bareos.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/285f0aee-3fc9-4f72-ba1a-109a9c15cf5f%40bareos.com.
Bruno Friedmann (bruno-at-bareos)
Oct 15, 2024, 3:59:07 AM10/15/24
to bareos-users
Hi Jon,
Hope this help you a bit.
It was always a bit more complicated to get the tls connection working with certificates. I remember that you need to have certificate that need to act as client and server as all daemon can have both roles.
Please have a look at that fact. openssl s_server and s_client command should work in both direction with the certifcates.
Then when you want to restrict to a certain protocol version, you have to be sure a working and existing list of cipher for that protocol version exists on all side.
Beware the parameter is not the same between 1.2 and 1.3 in bareos see
versus
Hope this help you a bit.
Jon Schewe
Oct 15, 2024, 9:44:55 AM10/15/24
to bareos-users
All of my certificates have both client and server authentication support. Limiting the Windows system to TLS 1.2 solved the problem. I don't understand why I need to limit the protocol version on Windows and not on Linux.
Reply all
Reply to author
Forward
0 new messages