TLS setup: what Common Name (CN) to use for certificates for which names?
412 views
Skip to first unread message
Michel V
Jan 2, 2017, 3:01:22 AM1/2/17
to bareos-users
Hey all,
I have a working setup with jobs that work. Extended to two machines, and that also works. Now I would like to implement TLS for communication between the different machines, but I'm lost in options.
(And I've reread docs many times).
For sake of simplicity:
Two separate servers
server01 on server01.example.com
server02 on server02.example.com
Director: bareos-dir on server01
Client1: bareos01-fd on server01
Client1: bareos02-fd on server02
Storage: bareos-sd on server01
bconsole: on server01
I am creating my own certificates. so can choose the Common Name in there.
But up to now, no luck in getting it working, although certificates are valid. Probably due to my lack of understanding which Common Name should be used for which program on which server. Documentation is not making it any clearer, and the mailing list does not show explicit examples.
Current error message in bconsole: Connect failure: ERR=error:140940F5:SSL routines:ssl3_read_bytes:unexpected record
My questions:
1.Common Name to use
Eg for bareos-dir. Should that be server01.example.com, or bareos-dir.server01.example.com or should I use a client certificate bareo...@server01.example.com
Same holds for Client 1 and 2: what to use?
Please note that I started with simple certificates for server01.example.com for Director, Client1 and Storage, but no luck there.
Could someone write out this for the two clients, to make it easier to understand?
2. Name in config
Should I keep with bareos-dir, bareos01-fd etc, or should those be FQDN names as well, eg bareos-dir.example.com?
3. Certificate checking
Is the certificate checked against the name (bareos-dir etc), or against the server location?
4. bconsole
Can bconsole also be secured, as there is no mention of that in the manual?
With all the best for 2017,
Michel
I have a working setup with jobs that work. Extended to two machines, and that also works. Now I would like to implement TLS for communication between the different machines, but I'm lost in options.
(And I've reread docs many times).
For sake of simplicity:
Two separate servers
server01 on server01.example.com
server02 on server02.example.com
Director: bareos-dir on server01
Client1: bareos01-fd on server01
Client1: bareos02-fd on server02
Storage: bareos-sd on server01
bconsole: on server01
I am creating my own certificates. so can choose the Common Name in there.
But up to now, no luck in getting it working, although certificates are valid. Probably due to my lack of understanding which Common Name should be used for which program on which server. Documentation is not making it any clearer, and the mailing list does not show explicit examples.
Current error message in bconsole: Connect failure: ERR=error:140940F5:SSL routines:ssl3_read_bytes:unexpected record
My questions:
1.Common Name to use
Eg for bareos-dir. Should that be server01.example.com, or bareos-dir.server01.example.com or should I use a client certificate bareo...@server01.example.com
Same holds for Client 1 and 2: what to use?
Please note that I started with simple certificates for server01.example.com for Director, Client1 and Storage, but no luck there.
Could someone write out this for the two clients, to make it easier to understand?
2. Name in config
Should I keep with bareos-dir, bareos01-fd etc, or should those be FQDN names as well, eg bareos-dir.example.com?
3. Certificate checking
Is the certificate checked against the name (bareos-dir etc), or against the server location?
4. bconsole
Can bconsole also be secured, as there is no mention of that in the manual?
With all the best for 2017,
Michel
Michel V
Jan 3, 2017, 6:49:34 AM1/3/17
to bareos-users
Good morning again,
After more trying out, I discovered that bareos actually expects client certificates. I followed this tutorial here:
https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html
and created client certificates for bareos01-fd, bareos02-fd, bareos-dir and possibly monitor on their respective servers
Common Names then for the clients:
bareo...@server01.example.com
bareos02-fdserver02.example.com
bareo...@server01.example.com
Then server certificates for both servers (each having their Common Name equally to their address)
server01.example.com
server02.example.com
The names for the clients and servers don't seem to matter.
Then in the config files you need to deploy server certificates for the incoming connecting client, and at time client certificates if a client needs to identify itself.
In bareos-dir.d/director/bareos-dir.conf you need to check if the incoming connection from the monitor is valid:
#TLS
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = bareo...@server01.example.com
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
In bareos-dir.d/client/bareos02.conf you define the client to connect to as director, and describe the client certificate the director will use to connect with to the client. Here the CN is important, as that is checked in client connections.
Address = server02.example.com #Example for separate server
#TLS
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a client certificate, used by the director to
# connect to the file daemon
TLS Certificate = /etc/bareos/tls/bareo...@server01.example.com.cert.pem #Director is on server01
TLS Key = /etc/bareos/tls/bareo...@server01.example.com.key.pem
In bareos-fd.d/client/client02.conf you define the FD client on that server and offer a client certificate
# You need these TLS entries so the SD and FD can
# communicate
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
TLS Certificate = /etc/bareos/tls/bareo...@server02.example.com.cert.pem # Example for other server
TLS Key = /etc/bareos/tls/bareo...@server02.example.com.key.pem
In bareos-fd.d/.. and bareos-sd.d/director/bareos-dir.conf (and also in bareos-fd.d) you need to verify the incoming director connection, and offer a server certificate:
#TLS
TLS Enable = yes
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = bareo...@server01.example.com
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
In bareos-sd.d/storage/bareos-sd.conf you get the exception according to the documentation, in which you do not need verification.
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Enable = yes
TLS Require = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate. It is used by connecting
# file daemons to verify the authenticity of this storage daemon
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
___
The part I am not sure about, and connect test, is the following (but I'm not getting errors)
In bconsole.conf you need to offer the option for encrypted bconsole communication
Address = server01.example.com
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
TLS Certificate = /etc/bareos/tls/bareo...@server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/bareo...@server01.example.com.key.pem
In bareos-dir.d/console/console.conf you add these settings as well:
#TLS
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "bareo...@server01.example.com"
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
}
____
I hope this helps someone else, and this can inspire the manual maintainers.
Michel
----- Original Message -----
> step 3.: "Michel V" <mic...@xarayahosting.nl>
> To: "bareos-users" <bareos...@googlegroups.com>
> Sent: Monday, 2 January, 2017 9:01:19 AM
> Subject: [bareos-users] TLS setup: what Common Name (CN) to use for certificates for which names?
> --
> You received this message because you are subscribed to the Google
> Groups "bareos-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to bareos-users...@googlegroups.com.
> To post to this group, send email to bareos...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
After more trying out, I discovered that bareos actually expects client certificates. I followed this tutorial here:
https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html
and created client certificates for bareos01-fd, bareos02-fd, bareos-dir and possibly monitor on their respective servers
Common Names then for the clients:
bareo...@server01.example.com
bareos02-fdserver02.example.com
bareo...@server01.example.com
Then server certificates for both servers (each having their Common Name equally to their address)
server01.example.com
server02.example.com
The names for the clients and servers don't seem to matter.
Then in the config files you need to deploy server certificates for the incoming connecting client, and at time client certificates if a client needs to identify itself.
In bareos-dir.d/director/bareos-dir.conf you need to check if the incoming connection from the monitor is valid:
#TLS
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = bareo...@server01.example.com
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
In bareos-dir.d/client/bareos02.conf you define the client to connect to as director, and describe the client certificate the director will use to connect with to the client. Here the CN is important, as that is checked in client connections.
Address = server02.example.com #Example for separate server
#TLS
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a client certificate, used by the director to
# connect to the file daemon
TLS Certificate = /etc/bareos/tls/bareo...@server01.example.com.cert.pem #Director is on server01
TLS Key = /etc/bareos/tls/bareo...@server01.example.com.key.pem
In bareos-fd.d/client/client02.conf you define the FD client on that server and offer a client certificate
# You need these TLS entries so the SD and FD can
# communicate
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
TLS Certificate = /etc/bareos/tls/bareo...@server02.example.com.cert.pem # Example for other server
TLS Key = /etc/bareos/tls/bareo...@server02.example.com.key.pem
In bareos-fd.d/.. and bareos-sd.d/director/bareos-dir.conf (and also in bareos-fd.d) you need to verify the incoming director connection, and offer a server certificate:
#TLS
TLS Enable = yes
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = bareo...@server01.example.com
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
In bareos-sd.d/storage/bareos-sd.conf you get the exception according to the documentation, in which you do not need verification.
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Enable = yes
TLS Require = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate. It is used by connecting
# file daemons to verify the authenticity of this storage daemon
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
___
The part I am not sure about, and connect test, is the following (but I'm not getting errors)
In bconsole.conf you need to offer the option for encrypted bconsole communication
Address = server01.example.com
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
TLS Certificate = /etc/bareos/tls/bareo...@server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/bareo...@server01.example.com.key.pem
In bareos-dir.d/console/console.conf you add these settings as well:
#TLS
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "bareo...@server01.example.com"
TLS CA Certificate File = /etc/bareos/tls/ca-chain.cert.pem
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /etc/bareos/tls/server01.example.com.cert.pem
TLS Key = /etc/bareos/tls/server01.example.com.key.pem
}
____
I hope this helps someone else, and this can inspire the manual maintainers.
Michel
----- Original Message -----
> step 3.: "Michel V" <mic...@xarayahosting.nl>
> To: "bareos-users" <bareos...@googlegroups.com>
> Sent: Monday, 2 January, 2017 9:01:19 AM
> Subject: [bareos-users] TLS setup: what Common Name (CN) to use for certificates for which names?
> You received this message because you are subscribed to the Google
> Groups "bareos-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to bareos-users...@googlegroups.com.
> To post to this group, send email to bareos...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Reply all
Reply to author
Forward
0 new messages