tls setup with letsencrypt?

[saschadd]

Hello,

i was wondering if it is possible to use letsencrypt certificates for the tls encryption of bareos as i already did with proftp.

I tried to adopt the usage of the letsenrypt certificates from proftp but this is not working.

Bareos is not able to load the keys

Error: tls_gnutls.c:205 Error loading key from ...

As this failure message doesnt say much to me i need to get a hint what this error code actually means.

saschadd

[Bruno Friedmann]

I didn't check the last documentation, but normally Bareos only support
openssl, and you have a tls_gnutls error message ?

Which version are you using, and where it come from ?


--

Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot

openSUSE Tumbleweed
Linux 4.10.1-1-default x86_64 GNU/Linux, nvidia: 378.13
Qt: 5.7.1, KDE Frameworks: 5.31.0, Plasma: 5.9.3, kmail2 5.4.2

[saschadd]

its 16.2.4 from debian stretch repo

I get an error message

Error: tls_gnutls.c:205 Error loading key from ...

when i try to load the letsencrypt files directly from

/etc/letsencrypt/live/mydomain.com/...

Meanwhile i was able to resolve this failure message by

1 copying over the letsencrypt files from /etc/letsencrypt/live/mydomain.com/...
to /etc/bareos/ssl
2 cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > stunnel.pem
3 making a CA certificate file with the Identrust root certificate https://www.identrust.com/certificates/trustid/root-download-x3.html

and then using

TLS CA Certificate File = /etc/bareos/ssl/ca.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /etc/bareos/ssl/stunnel.pem
TLS Key = /etc/bareos/ssl/privkey.pem

After doing this bareos-dir starts without a failure message.
So it might be possible to use letsencrypt.
How could i test if it is working and the connection is encrypted?

But the following error remains

Error: tls_gnutls.c:220 Failed to load DH file /etc/bareos/ssl/dh2048.pem

when adding the line

TLS DH File = /etc/bareos/ssl/dh2048.pem

and i dont know why.

[Bruno Friedmann]

I don't want to blame someone, in documentation (data encryption) it's clearly
stated

Please note! These feature is only available, if Bareos is build against
OpenSSL.

You have a build against gnu_tls :-O

[saschadd]

Thats correct!
Does it mean that those files in debian stretch are not correct?

But i want to use Transport Encryption as described in Chapter 29 and not Data Encryption.

[Bruno Friedmann]

On samedi, 11 mars 2017 12.29:52 h CET saschadd wrote:
> Thats correct!
> Does it mean that those files in debian stretch are not correct?

It is really my personnal opinion, based on previous experiences, where it's
hard to understand some downstream packager that believe they know better than
upstream how a software should work, and especially when they keep heavy
patching for their system. It's their rights, but why not trying to
collaborate with upstream to benefit to all, is still a mystery after having
spent 15 years in floss.

> But i want to use Transport Encryption as described in Chapter 29 and not
> Data Encryption.

The transport refer to the data encryption because the underlying engine used
is the same, has the doc is quite huge :-), this allow to save a few paragraph
...

Perhaps you should move (or test first in virtual or whatever) your bareos
installation to those provided by bareos project. It those works, you can then
complain in your distribution bugreporting that they use the wrong component,
in the hope to create a changed mindset there, or simple use bareos project
builds, and if needed (always cool for the project) bought a subscription.

but again this is my way of viewing things ;-)

[saschadd]

Am Samstag, 11. März 2017 16:14:39 UTC+1 schrieb Bruno Friedmann:
> > But i want to use Transport Encryption as described in Chapter 29 and not
> > Data Encryption.
> The transport refer to the data encryption because the underlying engine used
> is the same, has the doc is quite huge :-), this allow to save a few paragraph

This should be corrected in the manual as Transport Encryption is chapter 29 before Data Encryption which is chapter 30. And stating that bareos has to be build against openssl to use data encryption doesnt necessarily mean that this is needed for transport encryption as well.

Maybe a chapter "Encryption" which gives a short sum up of what is needed for both encryption methods could help to clarify the issue.

> Perhaps you should move (or test first in virtual or whatever) your bareos
> installation to those provided by bareos project. It those works, you can then
> complain in your distribution bugreporting that they use the wrong component,
> in the hope to create a changed mindset there, or simple use bareos project
> builds, and if needed (always cool for the project) bought a subscription.

i would like to use the project builds but as i need armel packages i cant seem to use the bareos repo.
tried to configure it myself but the information on https://www.bareos.org/en/HOWTO/articles/how-to-contribute-to-bareos.html > Howto Compile is bit to few to get things done. :(

[saschadd]

> i would like to use the project builds but as i need armel packages i cant seem to use the bareos repo.
> tried to configure it myself but the information on https://www.bareos.org/en/HOWTO/articles/how-to-contribute-to-bareos.html > Howto Compile is bit to few to get things done. :(

to be more clear, there are some infos missing how to get these

DAEMON_USER=bareos
DAEMON_GROUP=bareos
DIRECTOR_DAEMON_USER=${DAEMON_USER}
STORAGE_DAEMON_USER=${DAEMON_USER}
FILE_DAEMON_USER=root
STORAGE_DAEMON_GROUP=${DAEMON_GROUP}
WORKING_DIR=/var/lib/bareos

variables working in configure.

[Bruno Friedmann]

As you said those are variables so they are just set before the configure
line.

It's just copy and paste, I don't understand what you would need to make this
more clear.

[saschadd]

Well i am used to install from repos and this building from source is something new for me.

I now i can do

./configure \
....

to let the package configure but i dont know where to enter these variables.
Do i have to copy the whole text to a file and run it?

sorry for these beginners questions. ;)

[Bruno Friedmann]

Didn't have debian a "easy/dumb" way of recompile a package with source,
à la rpmbuild ?

Use the bareos project deb rules to build your armsel should be not that hard.
But yes perhaps need still some trainings and knowledge ;-)

--

Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot

openSUSE Tumbleweed

Linux 4.10.1-2-default x86_64 GNU/Linux, nvidia: 378.13

[saschadd]

Could it be that it is just not possible to build bareos against actual openssl versions?
When trying to build the package i get this error

crypto_openssl.c:131:1: error: expected constructor, destructor, or type conversion before ‘IMPLEMENT_STACK_OF’ IMPLEMENT_STACK_OF(RecipientInfo)

followed by many more until it stops with failure

Makefile:225: die Regel für Ziel „crypto_openssl.lo“ scheiterte
make[2]: *** [crypto_openssl.lo] Fehler 1

I tried with OpenSSL 1.0.1t which is the actual version from Debian jessie.

[saschadd]

Okay, it was something else.
I was able to build it agains openssl from git.
The source packages on stretch are already gnutls enabled and cant be used for that out of the box.

It seems to work, but bareos-dir is only able to load the certificates when the are copied over to /etc/bareos/ssl and chowned to bareos:bareos.
But bareos-fd, bareos-sd and bconsole start with the files in /etc/letsencrypt/live/mydomain/...

Why is bareos-dir not able to load the files from there but the other services are?