Can't connect to the remote PostgreSQL Bareos Database

[Stefan Harbich]

Hello everyone,

please tell me if accessing the remote PostgreSQL Bareos database also works via SSL?

I'm getting this message:

...

SQL server not running; password incorrect; server requires ssl; max_connections exceeded.

...

I can connect via SSL using "psql". I found the following note in the documentation:

"The PostgreSQL connection must not be an SSL connection. If the PostgreSQL server only allows SSL connections, the database cannot be opened."

This can't be right, can it? Please change this.

Regards, Stefan Harbich

[Sebastian Sura]

Hi Stefan,

we currently do not support bareos interacting with postgres via ssl as this lead to some hard to debug issues.

Kind Regards
Sebastian Sura

Am 28.03.26 um 03:37 schrieb Stefan Harbich:

Regards, Stefan Harbich --
You received this message because you are subscribed to the Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bareos-users/c5074013-9a66-404f-9013-be5c6f8ddecfn%40googlegroups.com.

-- 
 Sebastian Sura                  sebasti...@bareos.com
 Bareos GmbH & Co. KG            Phone: +49 221 630693-0
 https://www.bareos.com
 Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
 Komplementär: Bareos Verwaltungs-GmbH
 Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz

[Stefan Harbich]

Hello Sebastian,

that's a shame. That security is not the top priority in your company.

Greetings from Stefan Harbich

[Bruno Friedmann (bruno-at-bareos)]

Well I found the reply a bit harsh. 

You consider that security in encrypting communication is top priority, while we have considered as top priority consistency of your valuable data.

Regards..

[Stefan Harbich]

Dear Mr. Friedmann,

i don't understand your answer.

Why is backup encrypted between the Director and all host systems when the consistency of our data is our top priority?
This contradicts your answer.

Kind regards from Stefan Harbich

[Bruno Friedmann (bruno-at-bareos)]

We detected (paid customer use case) a problem when connection between dir and catalog are handle over tcp with ssl enabled (making backup recording at risk and can make them inconsistent at restore time).

As the vast majority 98% of user have the director running where the pg catalog is run, we decided the better fix for the momen is to either connect pg by the socket (which is far more efficient) and do not allow ssl tcp connections. This allow the connection to still be used by tcp but uncrypted if not set inside a vpn or other mitigation.

The communication between daemon stay encrypted by default. Only if a remote host is used for the catalog, the connection between the dir and that host needs to be encrypted by another way than the native libpq tcp ssl.

Hope this clarify my previous statement. 

[Stefan Harbich]

Hello Mr. Friedmann,

it's a shame you weren't able to resolve the issue with your paying customer. I'm not a fan of having to manage and support dedicated databases for every use case.

But your company isn't alone in this. I'm hearing more and more that many applications are using their own databases, regardless of the effort required from the end user.
That settles it for me. Thank you for your openness.

Regards, Stefan Harbich

[Andreas Rogge]

Hi Stefan,

the underlying problem is that the way we're using libpq is apparently
not 100% thread-safe when used in conjuction with TLS. Right now we
haven't understood where exactly things break. Maybe it is Bareos' fault
or libpq's or OpenSSL's. Maybe it only happens on with specific versions
of these components.
Sadly, things will work fine for weeks until one of the database
connections fails in really strange ways (i.e. "PGError: lost
synchronization with server" after some strange TLS errors are logged).
This then takes one or more (presumably long-running) backup jobs with
it. In the end, we decided to disable TLS on our end.

Having said that, you can still have a TLS encrypted connection to your
database server using PgBouncer or something like that.
Also, feel free to create a PR that adds a configuration setting to
allow (or even require) TLS on the database connection. We will happily
accept a change like that.

Best Regards,
Andreas

--
Andreas Rogge andrea...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221-630693-86
http://www.bareos.com

[Stefan Harbich]

Hi Andreas,

thanks so much for your reply.

I tried to establish a TLS connection to the Bareos database using PGBouncer. Unfortunately, it's not working.

I keep getting a message that password authentication failed.

This must be related to the "SQL_ASCII" encoding and the "C" database type.

How did you manage to access the database via PGBouncer using TLS encryption?

Best regards, Stefan Harbich

[Bruno Friedmann (bruno-at-bareos)]

Did you tried with the forced connection ?

pgbouncer.ini

bareos = host=yourremote.domain.local port=5432 user=bareos password=Wh@tever client_encoding=SQL_ASCII

Bareos catalog def 

Catalog {
  Name = mycatalog

  dbhost = localhost

  dbport = 6432
  dbname = "bareos"
  dbuser = "bareos"
  dbpassword = "Wh@tever"
}

of course you need the /etc/pgbouncer/userlist.txt to contain again the bareos "Wh@tever" password.

at least with this I was able to do connection.

[Stefan Harbich]

I only use secure connections. The following approach doesn't work with Bareos.

...

echo "

;;;

;;; TLS settings for connecting to backend databases

;;;

;server_tls_sslmode = prefer | require | verify-ca | verify-full

server_tls_sslmode = require

server_tls_ca_file = /etc/pgbouncer/root.crt

server_tls_key_file = /etc/pgbouncer/pgbouncer.key

server_tls_cert_file = /etc/pgbouncer/pgbouncer.crt

 

;;;

;;; TLS settings for accepting client connections

;;;

;client_tls_sslmode = prefer | require | verify-ca | verify-full

client_tls_sslmode = require

client_tls_ca_file = /etc/pgbouncer/root.crt

client_tls_key_file = /etc/pgbouncer/pgbouncer.key

client_tls_cert_file = /etc/pgbouncer/pgbouncer.crt

" >> /etc/pgbouncer/pgbouncer.ini

...

[Bruno Friedmann (bruno-at-bareos)]

In fact you have to make pgbouncer listen on its socket, and make bareos connected to the pgbouncer socket (there's no encryption involved nor needed here)

then the next hop pgbouncer -> db server use a TLS connection.

so I'm not wrong in this case pgbouncer server_tls_sslmode is off while client is require.

[Stefan Harbich]

Hi Bruno,

just to make sure I understand correctly:

I'm installing the pgbouncer software on the Bareos Director.

Communication between Bareos and pgbouncer runs via the Unix socket.

Communication between pgbouncer and my PostgreSQL cluster (HaProxy, Petroni, Etcd, and PostgreSQL) is encrypted. Is that correct?

Regards, Stefan Harbich

[Stefan Harbich]

Hi Bruno,

just to make sure I understand correctly:

I'm installing the pgbouncer software on the Bareos Director.

Communication between Bareos and pgbouncer runs via the Unix socket.

Communication between pgbouncer and my PostgreSQL cluster (HaProxy, Petroni, Etcd, and PostgreSQL) is encrypted. Is that correct?

Regards, Stefan Harbich

Bruno Friedmann (bruno-at-bareos) schrieb am Donnerstag, 16. April 2026 um 09:38:37 UTC+2:

[Bruno Friedmann (bruno-at-bareos)]

Hi Stefan,

Yes that's how I imagine the case. 

[Stefan Harbich]

Hello Andreas,

i started a large backup via pgbouncer. Unfortunately, the backup is failing.

Error message:
...
bareos-dir JobId 3: Error: Bareos bareos-dir 25.0.4~pre116.b35277fb6 (30Apr26):
OS Information: Debian GNU/Linux 13 (trixie)
JobId: 3
Job: backup-dsme01-fd.2026-05-19_00.20.22_22
Backup Level: Full (upgraded from Incremental)
Client: "dsme01-fd" 25.0.3~pre96.1f53a5305 (26Mar26) Debian GNU/Linux 11 (bullseye),debian
FileSet: "LinuxServer" 2026-05-19 00:15:07
Pool: "Full" (From Job FullPool override)
Catalog: "MyCatalog" (From Client resource)
Storage: "File" (From Job resource)
Scheduled time: 19-Mai-2026 00:20:22
Start time: 19-Mai-2026 00:20:24
End time: 19-Mai-2026 00:46:46
Elapsed time: 26 mins 22 secs
Priority: 10
Allow Mixed Priority: no
FD Files Written: 450,624
SD Files Written: 450,624
FD Bytes Read: 74,269,024,746 (74.26 GB)
FD Bytes Written: 74,269,026,018 (74.26 GB)
SD Bytes Written: 74,339,587,424 (74.33 GB)
Rate: 46946,3 KB/s
Software Compression: None
VSS: no
Encryption: no
Accurate: no
Volume name(s): Full-0001|Full-0002
Volume Session Id: 3
Volume Session Time: 1779141929
Last Volume Bytes: 15,652,801,800 (15.65 GB)
Non-fatal FD errors: 1
SD Errors: 0
FD termination status: OK
SD termination status: OK
Bareos binary info: Bareos community build (UNSUPPORTED): Get professional support from https://www.bareos.com
Job triggered by: User
Termination: *** Backup Error ***

38
2026-05-19 00:46:46
bareos-dir JobId 3: Fatal error: cats/sql_create.cc:803 Fill Path table Query failed: INSERT INTO Path (Path)
SELECT a.Path
FROM (
SELECT DISTINCT Path
FROM batch
) AS a
WHERE NOT EXISTS (
SELECT Path
FROM Path
WHERE Path = a.Path
)
: ERR=ERROR: relation "batch" does not exist
ZEILE 5: FROM batch
^
37
2026-05-19 00:46:06
bareos-dir JobId 3: Insert of attributes batch table with 450623 entries start
36
2026-05-19 00:46:06
bareos-sd JobId 3: Elapsed time=00:25:35, Transfer rate=48.42 M Bytes/second
35
2026-05-19 00:46:05
bareos-sd JobId 3: Releasing device "FileStorage" (/media/backups/storage).
34
2026-05-19 00:42:22
bareos-sd JobId 3: New volume "Full-0002" mounted on device "FileStorage" (/media/backups/storage) at 19-Mai-2026 00:42.
33
2026-05-19 00:42:22
bareos-sd JobId 3: Ready to append to end of Volume "Full-0002" size=207
32
2026-05-19 00:42:22
bareos-sd JobId 3: Moving to end of data on volume "Full-0002"
31
2026-05-19 00:42:22
bareos-sd JobId 3: Labeled new Volume "Full-0002" on device "FileStorage" (/media/backups/storage).
30
2026-05-19 00:42:21
bareos-dir JobId 3: Created new Volume "Full-0002" in catalog.
29
2026-05-19 00:42:16
bareos-sd JobId 3: End of medium on Volume "Full-0001" Bytes=75,161,778,387 Blocks=71,682 at 19-Mai-2026 00:42.
28
2026-05-19 00:42:16
bareos-sd JobId 3: User defined maximum volume capacity 75,161,927,680 exceeded on device "FileStorage" (/media/backups/storage).
27
2026-05-19 00:20:25
bareos-sd JobId 3: Ready to append to end of Volume "Full-0001" size=16455154014
26
2026-05-19 00:20:25
bareos-sd JobId 3: Moving to end of data on volume "Full-0001"
...
What does this error mean?
Best regards,
Stefan

Andreas Rogge schrieb am Mittwoch, 1. April 2026 um 16:01:33 UTC+2:

[Andreas Rogge]

Am 19.05.26 um 01:03 schrieb Stefan Harbich:

> i started a large backup via pgbouncer. Unfortunately, the backup is
> failing.

The missing table is a session-local temporary table. If the connection
is lost or bgbouncer for some reason puts the Bareos connection onto
another backend session this will happen.
For pgbouncer that means you will have to run in session pooling mode,
neither transaction pooling nor statement pooling will work with Bareos.
Could you double-check that?