bareos ERR=10:certificate has expired error

32 views
Skip to first unread message

Al Gone

unread,
Jul 26, 2022, 10:13:07 AM7/26/22
to bareos-users

We have a backup server with bareos installed. Recently I noticed that some of clients are refused to back up.

Looking into the logs I found a strange error reporting that certificate is expired:

 

26-Jul 15:07 oc-dir JobId 81120: Start Backup JobId 81120, Job=cms-server.2022-07-26_15.06.58_06

26-Jul 15:07 oc-dir JobId 81120: Using Device "FileStorage.1" to write.

26-Jul 15:07 oc-dir JobId 81120: Error: tls_openssl.c:354 Error with certificate at depth: 0, issuer = /CN=Puppet CA: bareos-server, subject = /CN= cms-server, ERR=10:certificate has expired

26-Jul 15:07 oc-dir JobId 81120: Error: crypto_openssl.c:1559 Connect failure: ERR=error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

26-Jul 15:07 oc-dir JobId 81120: Fatal error: TLS negotiation failed.

26-Jul 15:07 oc-dir JobId 81120: Fatal error: Unable to authenticate with File daemon at "cms-server:9102". Possible causes:

Passwords or names not the same or

TLS negotiation failed or

Maximum Concurrent Jobs exceeded on the FD or

FD networking messed up (restart daemon).

Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.

26-Jul 15:07 oc-dir JobId 81120: Fatal error: bsock_tcp.c:591 Packet size too big from "Client: cms-server-fd:cms-server:9102. Terminating connection.

26-Jul 15:07 oc-dir JobId 81120: Fatal error: No Job status returned from FD.

26-Jul 15:07 oc-dir JobId 81120: Error: Bareos oc-dir 17.2.4 (21Sep17):

  Build OS:               x86_64-redhat-linux-gnu redhat CentOS Linux release 7.4.1708 (Core

 

 

(All hostnames above are changed)

 

The problem that certificate actually is not expired. I have checked it on both the server and client sides:

 

[root@cms-server ~]# openssl x509 -in /etc/bareos/pki/bareos.ca -noout -dates

notBefore=Nov  2 12:19:15 2020 GMT

notAfter=Oct 31 12:19:15 2030 GMT

[root@ cms-server ~]#

[root@cms-server ~]#

[root@cms-server ~]# openssl x509 -in /etc/bareos/pki/bareos.crt -noout -dates

notBefore=Jan 20 11:40:46 2021 GMT

notAfter=Jan 20 11:40:46 2026 GMT

[root@cms-server ~]#

[root@cms-server ~]#

 

 

And my configuration on the client:

[root@cms-server bareos-fd.d]# cat client/cms-server-fd.conf

FileDaemon {

  Name = cms-server-fd

  TLS Enable = yes

  TLS Require = yes

  TLS Verify Peer = no

  TLS CA Certificate File = /etc/bareos/pki/bareos.ca

  TLS Certificate = /etc/bareos/pki/bareos.crt

  TLS Key = /etc/bareos/pki/bareos.key

  Heartbeat Interval = 120

  Maximum Concurrent Jobs = 20

}

 

[root@cms-server bareos-fd.d]# cat director/cms-server-fd-dir.conf

Director {

  Name = oc-dir

  Password = "xxxxxxxxxxxxxxxxx"

  TLS Enable = yes

  TLS Require = yes

  TLS Verify Peer = no

  TLS CA Certificate File = /etc/bareos/pki/bareos.ca

  TLS Certificate = /etc/bareos/pki/bareos.crt

  TLS Key = /etc/bareos/pki/bareos.key

}

 

Director {

  Name = cms-server-mon

  Password = "xxxxxxxxxxxxxxxxx"

  Monitor = yes

}

 

 

Can you suggest where to find the problem?


Bruno Friedmann

unread,
Jul 27, 2022, 8:02:14 AM7/27/22
to bareos-users
Really still using 17.2 ? ;.-)

I will make a rough guess, because you didn't precise which platform you use, not the whole certificate output
openssl expirated CA, component, algo ? 

Lot of things have changed since 2017 
Maybe time to refresh the stack

Al Gone

unread,
Jul 27, 2022, 9:03:27 AM7/27/22
to bareos-users
Hey Bruno, thanks!
Yeah, it is pretty ancient I agree. But there are no reasons to upgrade this complicated and already well-worked setup, since we are going to dispose it as well as all the on-premises infrustructure we have in the next 6-9 months. Until that it'd be nice to have a proper backup and existing solution not giving much effort to it.

It is funny, but somehow it got fixed. First I generated new self signed CA cert/keypair, signed client CSR/KEY/CRT and installed that on the client and updated the client configuration on the server side. It refused to accept these certificates. Then I reverted everything back and it magically started to work again.
 It is strange since I restarted servers on both sides multiple times before and it didn't help. 
Only after playing with certificates and reverting then everything back fixed the problem. :-)
среда, 27 июля 2022 г. в 14:02:14 UTC+2, Bruno Friedmann:
Reply all
Reply to author
Forward
0 new messages