[Box Backup] Certificate problems

Tomas Nilsson tomas.nilsson at westint.se
Wed Jul 13 14:34:49 BST 2011


Hi,
First of all, sorry for this very long mail...

I'm trying to setup boxbackup to use for internal backups here at work. I have several servers and clients, and the plan is to have them all backed up on this backup server.

Installation and having the client find/connect to the server works fine, but when it comes to the certificates something goes wrong.
I'm mailing the list now since I just can't figure out what is wrong. I've tried the script to create the certificates, created them myself and tried everything else I could come up with, without success.
I still get an error saying "SSL error while accepting connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"

This is what I do.

1. Created a directory /certificates to do all the certificate thing in..
2. Create root certificates and setup CA by use of bbstored-certs ca init
Output:
Generating RSA private key, 2048 bit long modulus
............................+++
........................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:

Signature ok
subject=/CN=Backup system client root
Getting Private key
Generating RSA private key, 2048 bit long modulus
.......................+++
.........+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:

Signature ok
subject=/CN=Backup system server root
Getting Private key

3. Copy /certificates/ca/keys/serverRootKey.pem and /certificates/ca/keys/serverRootCSR.pem to /certificates
4. Sign certificate using bbstored-certs ca sign-server serverRootCSR.pem
Output:

This certificate is for backup server

   Backup

Signing the wrong certificate compromises the security of your backup system.

Would you like to sign this certificate? (type 'yes' to confirm)
yes
Signature ok
subject=/CN=Backup system server root
Getting CA Private Key


Certificate signed.

Install the files

   ca/servers/Backup-cert.pem
   ca/roots/clientCA.pem

on the server.

5. copy and rename Backup-cert.pem to /etc/boxbackup/bbstored/bkSrv.crt.pem
6. copy clientCA.pem to /etc/boxbackup/bbstored/clientCA.pem
7. copy and rename serverRootKey.pem to /etc/boxbackup/bbstored/bkSrv.key.pem
8. Edit /etc/boxbackup/bbstored.conf and change the certificate paths there to the ones above (5-7)
9. On client server, issue key file and csr using the following command
        bbackupd-config /etc/boxbackup lazy 75AB23C bkSrv.westint.local /var/bbackupd /var/bbackupd/
        This creates the client certificate csr I need as well as sets up the bbackupd.conf for me
10. Send off csr to bkSrv for signing.
11. Sign westsrv2.csr.pem using: bbstored-certs ca sign 75AB23C-csr.pem
12. Getting back 75AB23C-cert.pem and serverCA.pem from bkSrv and copies them to /etc/boxbackup/bbackupd/
13. Making sure that everything in bbackupd.conf looks fine.
14. Starting the server on bkSrv by issuing bbstored -V -D (to get as much debug info as possible)
15. Starting the client on westsrv2 by issuing bbackupd -V -D

Error on client:
NOTICE:  Starting daemon, version: 0.11rc2+2502
NOTICE:  Using configuration file: /etc/boxbackup/bbackupd.conf
TRACE:   BackupDaemon::NotifySysadmin() called, event = backup-start
INFO:    About to notify administrator about event backup-start, running script '/etc/boxbackup/bbackupd/NotifySysadmin.sh backup-start'
NOTICE:  Beginning scan of local files
TRACE:   Set maximum diffing time to 120 seconds
TRACE:   Set keep-alive time to 120 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999993 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999965 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999947 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999931 seconds
INFO:    Opening connection to server 'bkSrv.westint.local'...
ERROR:   SSL error while connecting: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TRACE:   Obtained 10 stack frames.
TRACE:   Stack frame 0: bbackupd(DumpStackBacktrace()+0x26) [0x4c87c6]
TRACE:   Stack frame 1: bbackupd(SocketStreamTLS::Handshake(TLSContext const&, bool)+0x718) [0x498eb8]
TRACE:   Stack frame 2: bbackupd(SocketStreamTLS::Open(TLSContext const&, Socket::Type, std::string const&, int)+0x2e) [0x4995ce]
TRACE:   Stack frame 3: bbackupd(BackupClientContext::GetConnection()+0x33f) [0x4250af]
TRACE:   Stack frame 4: bbackupd(BackupDaemon::SetupLocations(BackupClientContext&, Configuration const&)+0xae) [0x435c9e]
TRACE:   Stack frame 5: bbackupd(BackupDaemon::RunSyncNow()+0xf16) [0x43e576]
TRACE:   Stack frame 6: bbackupd(BackupDaemon::RunSyncNowWithExceptionHandling()+0x35) [0x43f235]
TRACE:   Stack frame 7: bbackupd(BackupDaemon::Run2()+0x27b) [0x440deb]
TRACE:   Stack frame 8: bbackupd(BackupDaemon::Run()+0x270) [0x4411b0]
TRACE:   Stack frame 9: bbackupd(Daemon::Main(std::string const&)+0x1402) [0x4812e2]
WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(212)
TRACE:   timer: no more events, going to sleep.
TRACE:   BackupDaemon::NotifySysadmin() called, event = backup-error
INFO:    About to notify administrator about event backup-error, running script '/etc/boxbackup/bbackupd/NotifySysadmin.sh backup-error'

Error on Server:
NOTICE:  Starting daemon, version: 0.11rc8+2714
NOTICE:  Using configuration file: /etc/boxbackup/bbstored.conf
INFO:    Starting housekeeping
INFO:    Finished housekeeping
ERROR:   SSL error while accepting connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
TRACE:   Obtained 10 stack frames.
TRACE:   Stack frame 0: bbstored(DumpStackBacktrace()+0x23) [0x52bb83]
TRACE:   Stack frame 1: bbstored(SocketStreamTLS::Handshake(TLSContext const&, bool)+0x64d) [0x4ec19d]
TRACE:   Stack frame 2: bbstored(ServerTLS<2201, 128, true>::HandleConnection(SocketStreamTLS&)+0x25) [0x43b305]
TRACE:   Stack frame 3: bbstored(ServerStream<SocketStreamTLS, 2201, 128, true>::Run2(bool&)+0x94e) [0x442c2e]
TRACE:   Stack frame 4: bbstored(ServerTLS<2201, 128, true>::Run2(bool&)+0x139) [0x4450c9]
TRACE:   Stack frame 5: bbstored(BackupStoreDaemon::Run()+0x3ea) [0x439b0a]
TRACE:   Stack frame 6: bbstored(Daemon::Main(std::string const&)+0x2029) [0x4c5039]
TRACE:   Stack frame 7: bbstored(Daemon::Main(char const*, int, char const**)+0x464) [0x4c15a4]
TRACE:   Stack frame 8: bbstored(main+0x90) [0x45a8a0]
TRACE:   Stack frame 9: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff) [0x7fa888517eff]
WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(207)
FATAL:   Terminating due to exception Connection TLSHandshakeFailed (7/30)

I've tried everything now... using the pre-defined scripts as of above, made my own scripts etc... but I just can't figure out why it doesn't work.
Probably it's me doing something wrong, but what??
It can't be so that bkSrv needs a real certificate from VeriSign or a company like that, right?

Thanks in advance!

Tomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20110713/90f5c004/attachment.html>


More information about the Boxbackup mailing list