[Box Backup] Certificate problems

Peter Jalajas, GigaLock Backup Services pjalajas at gigalock.com
Wed Jul 13 18:18:10 BST 2011


Hi Tomas,

On Wed, Jul 13, 2011 at 9:34 AM, Tomas Nilsson <tomas.nilsson at westint.se> wrote:
...
> I still get an error saying "SSL error while accepting connection:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
...
> 3. Copy /certificates/ca/keys/serverRootKey.pem and
> /certificates/ca/keys/serverRootCSR.pem to /certificates
...
> 5. copy and rename Backup-cert.pem to /etc/boxbackup/bbstored/bkSrv.crt.pem
> 6. copy clientCA.pem to /etc/boxbackup/bbstored/clientCA.pem
> 7. copy and rename serverRootKey.pem to
> /etc/boxbackup/bbstored/bkSrv.key.pem

Just guessing, but maybe a owner or permissions issue on the certs?
Owners of bbackupd and bbstored processes need to be able to read the
certs. And do you have all the necessary files present on both sides?

On my client:
root      4107     1  0 Jul04 ?        00:01:07 bbackupd
-rw-r--r-- 1 root root 1021 2008-05-15 12:22 serverCA.pem
-rw-r--r-- 1 root root 1.7K 2008-08-01 12:06 10009999-key.pem
-rw-r--r-- 1 root root 1.0K 2009-09-17 10:08 10009999-FileEncKeys.raw
-rw-r--r-- 1 root root  997 2008-08-01 12:06 10009999-cert.pem

On my server:
root      1184     1  0 Jun11 ?        00:02:50 bbstored
root      1185  1184  6 Jun11 ?        2-04:12:13 bbstored
-rw-r--r-- 1 root root 1.7K 2011-01-03 15:01 srvr-key.pem
-rw-r--r-- 1 root root  981 2011-01-03 15:01 srvr-cert.pem
-rw-r--r-- 1 root root 1021 2011-01-03 15:01 clientCA.pem

(But I think I should make those permissions 600 on both the client
and server so that no other use can access them.)

> 12. Getting back 75AB23C-cert.pem and serverCA.pem from bkSrv and copies
> them to /etc/boxbackup/bbackupd/

Did copying tweak owner/perms?

...
> Error on client:
...
> ERROR:   SSL error while connecting: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
...
> WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at
> SocketStreamTLS.cpp(212)
...
> Error on Server:
...
> ERROR:   SSL error while accepting connection: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
...
> WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at
> SocketStreamTLS.cpp(207)
> FATAL:   Terminating due to exception Connection TLSHandshakeFailed (7/30)
...
> It can’t be so that bkSrv needs a real certificate from VeriSign or a
> company like that, right?

Right, for sure. You do _not_ need a "real" certificate.

Hope that helps,
Pete



More information about the Boxbackup mailing list