[Box Backup] Certificate problems

Tomas Nilsson tomas.nilsson at westint.se
Thu Jul 14 12:59:28 BST 2011


Hi Peter,
I had settings for Boxbackup list messed up, so I received the answer in Digest mode... hence answering like this. :-)
Checked my permissions and they all seem fine.

Server: 
-rwxrwxrwx 1 _bbstored root   10 2011-07-11 13:54 accounts.txt
-rwxrwxrwx 1 _bbstored root 1009 2011-07-13 15:11 bkSrv.crt.pem
-rwxrwxrwx 1 _bbstored root 1679 2011-07-13 15:12 bkSrv.key.pem
-rwxrwxrwx 1 _bbstored root 1021 2011-07-13 15:11 clientCA.pem

Client:
-rwxrwxrwx 1 root root  993 2011-07-13 15:15 75AB23C-cert.pem
-rwxrwxrwx 1 root root  899 2011-07-13 15:07 75AB23C-csr.pem
-rwxrwxrwx 1 root root 1024 2011-07-13 15:07 75AB23C-FileEncKeys.raw
-rwxrwxrwx 1 root root 1675 2011-07-13 15:07 75AB23C-key.pem
-rwxrwxrwx 1 root root 1156 2011-07-11 14:21 notifyadmin
-rwxrwxrwx 1 root root 1800 2011-07-13 15:07 NotifySysadmin.sh
-rwxrwxrwx 1 root root 1021 2011-07-13 15:15 serverCA.pem

I changed them to 777 just to make sure, but I still get exactly the same problem as before.

How is your openssl setup? Could it be something with the certificates I create that is wrong? It's all done with the scripts provided by boxbackup, but still.... it's the only possible error I can see right now.
I've just used the standard settings with no changes at all..

Could it have something to do with "subject=/CN=Backup system server root" not matching the server name? I have however tried changing this to the server name or actually servername.domain.local without any success.

Kind Regards, Tomas

-----Ursprungligt meddelande-----
Från: boxbackup-bounces at boxbackup.org [mailto:boxbackup-bounces at boxbackup.org] För boxbackup-request at boxbackup.org
Skickat: den 14 juli 2011 13:00
Till: boxbackup at boxbackup.org
Ämne: Boxbackup Digest, Vol 20, Issue 5

Send Boxbackup mailing list submissions to
	boxbackup at boxbackup.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.boxbackup.org/cgi-bin/mailman/listinfo/boxbackup
or, via email, send a message with subject or body 'help' to
	boxbackup-request at boxbackup.org

You can reach the person managing the list at
	boxbackup-owner at boxbackup.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Boxbackup digest..."


Today's Topics:

   1. Certificate problems (Tomas Nilsson)
   2. Re: Certificate problems (Peter Jalajas, GigaLock Backup Services)


----------------------------------------------------------------------

Message: 1
Date: Wed, 13 Jul 2011 15:34:49 +0200
From: Tomas Nilsson <tomas.nilsson at westint.se>
Subject: [Box Backup] Certificate problems
To: "boxbackup at boxbackup.org" <boxbackup at boxbackup.org>
Message-ID:
	<807E78569CAA9B409EA32DC1F2CAEBFB206EA968CF at STOEXMBXC03.domain01.net>
Content-Type: text/plain; charset="us-ascii"

Hi,
First of all, sorry for this very long mail...

I'm trying to setup boxbackup to use for internal backups here at work. I have several servers and clients, and the plan is to have them all backed up on this backup server.

Installation and having the client find/connect to the server works fine, but when it comes to the certificates something goes wrong.
I'm mailing the list now since I just can't figure out what is wrong. I've tried the script to create the certificates, created them myself and tried everything else I could come up with, without success.
I still get an error saying "SSL error while accepting connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"

This is what I do.

1. Created a directory /certificates to do all the certificate thing in..
2. Create root certificates and setup CA by use of bbstored-certs ca init
Output:
Generating RSA private key, 2048 bit long modulus
............................+++
........................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:

Signature ok
subject=/CN=Backup system client root
Getting Private key
Generating RSA private key, 2048 bit long modulus
.......................+++
.........+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:

Signature ok
subject=/CN=Backup system server root
Getting Private key

3. Copy /certificates/ca/keys/serverRootKey.pem and /certificates/ca/keys/serverRootCSR.pem to /certificates
4. Sign certificate using bbstored-certs ca sign-server serverRootCSR.pem
Output:

This certificate is for backup server

   Backup

Signing the wrong certificate compromises the security of your backup system.

Would you like to sign this certificate? (type 'yes' to confirm)
yes
Signature ok
subject=/CN=Backup system server root
Getting CA Private Key


Certificate signed.

Install the files

   ca/servers/Backup-cert.pem
   ca/roots/clientCA.pem

on the server.

5. copy and rename Backup-cert.pem to /etc/boxbackup/bbstored/bkSrv.crt.pem
6. copy clientCA.pem to /etc/boxbackup/bbstored/clientCA.pem
7. copy and rename serverRootKey.pem to /etc/boxbackup/bbstored/bkSrv.key.pem
8. Edit /etc/boxbackup/bbstored.conf and change the certificate paths there to the ones above (5-7)
9. On client server, issue key file and csr using the following command
        bbackupd-config /etc/boxbackup lazy 75AB23C bkSrv.westint.local /var/bbackupd /var/bbackupd/
        This creates the client certificate csr I need as well as sets up the bbackupd.conf for me
10. Send off csr to bkSrv for signing.
11. Sign westsrv2.csr.pem using: bbstored-certs ca sign 75AB23C-csr.pem
12. Getting back 75AB23C-cert.pem and serverCA.pem from bkSrv and copies them to /etc/boxbackup/bbackupd/
13. Making sure that everything in bbackupd.conf looks fine.
14. Starting the server on bkSrv by issuing bbstored -V -D (to get as much debug info as possible)
15. Starting the client on westsrv2 by issuing bbackupd -V -D

Error on client:
NOTICE:  Starting daemon, version: 0.11rc2+2502
NOTICE:  Using configuration file: /etc/boxbackup/bbackupd.conf
TRACE:   BackupDaemon::NotifySysadmin() called, event = backup-start
INFO:    About to notify administrator about event backup-start, running script '/etc/boxbackup/bbackupd/NotifySysadmin.sh backup-start'
NOTICE:  Beginning scan of local files
TRACE:   Set maximum diffing time to 120 seconds
TRACE:   Set keep-alive time to 120 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999993 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999965 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999947 seconds
TRACE:   timer: next event: KeepAliveTime expires in 119.999931 seconds
INFO:    Opening connection to server 'bkSrv.westint.local'...
ERROR:   SSL error while connecting: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TRACE:   Obtained 10 stack frames.
TRACE:   Stack frame 0: bbackupd(DumpStackBacktrace()+0x26) [0x4c87c6]
TRACE:   Stack frame 1: bbackupd(SocketStreamTLS::Handshake(TLSContext const&, bool)+0x718) [0x498eb8]
TRACE:   Stack frame 2: bbackupd(SocketStreamTLS::Open(TLSContext const&, Socket::Type, std::string const&, int)+0x2e) [0x4995ce]
TRACE:   Stack frame 3: bbackupd(BackupClientContext::GetConnection()+0x33f) [0x4250af]
TRACE:   Stack frame 4: bbackupd(BackupDaemon::SetupLocations(BackupClientContext&, Configuration const&)+0xae) [0x435c9e]
TRACE:   Stack frame 5: bbackupd(BackupDaemon::RunSyncNow()+0xf16) [0x43e576]
TRACE:   Stack frame 6: bbackupd(BackupDaemon::RunSyncNowWithExceptionHandling()+0x35) [0x43f235]
TRACE:   Stack frame 7: bbackupd(BackupDaemon::Run2()+0x27b) [0x440deb]
TRACE:   Stack frame 8: bbackupd(BackupDaemon::Run()+0x270) [0x4411b0]
TRACE:   Stack frame 9: bbackupd(Daemon::Main(std::string const&)+0x1402) [0x4812e2]
WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(212)
TRACE:   timer: no more events, going to sleep.
TRACE:   BackupDaemon::NotifySysadmin() called, event = backup-error
INFO:    About to notify administrator about event backup-error, running script '/etc/boxbackup/bbackupd/NotifySysadmin.sh backup-error'

Error on Server:
NOTICE:  Starting daemon, version: 0.11rc8+2714
NOTICE:  Using configuration file: /etc/boxbackup/bbstored.conf
INFO:    Starting housekeeping
INFO:    Finished housekeeping
ERROR:   SSL error while accepting connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
TRACE:   Obtained 10 stack frames.
TRACE:   Stack frame 0: bbstored(DumpStackBacktrace()+0x23) [0x52bb83]
TRACE:   Stack frame 1: bbstored(SocketStreamTLS::Handshake(TLSContext const&, bool)+0x64d) [0x4ec19d]
TRACE:   Stack frame 2: bbstored(ServerTLS<2201, 128, true>::HandleConnection(SocketStreamTLS&)+0x25) [0x43b305]
TRACE:   Stack frame 3: bbstored(ServerStream<SocketStreamTLS, 2201, 128, true>::Run2(bool&)+0x94e) [0x442c2e]
TRACE:   Stack frame 4: bbstored(ServerTLS<2201, 128, true>::Run2(bool&)+0x139) [0x4450c9]
TRACE:   Stack frame 5: bbstored(BackupStoreDaemon::Run()+0x3ea) [0x439b0a]
TRACE:   Stack frame 6: bbstored(Daemon::Main(std::string const&)+0x2029) [0x4c5039]
TRACE:   Stack frame 7: bbstored(Daemon::Main(char const*, int, char const**)+0x464) [0x4c15a4]
TRACE:   Stack frame 8: bbstored(main+0x90) [0x45a8a0]
TRACE:   Stack frame 9: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff) [0x7fa888517eff]
WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(207)
FATAL:   Terminating due to exception Connection TLSHandshakeFailed (7/30)

I've tried everything now... using the pre-defined scripts as of above, made my own scripts etc... but I just can't figure out why it doesn't work.
Probably it's me doing something wrong, but what??
It can't be so that bkSrv needs a real certificate from VeriSign or a company like that, right?

Thanks in advance!

Tomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20110713/90f5c004/attachment.html>

------------------------------

Message: 2
Date: Wed, 13 Jul 2011 13:18:10 -0400
From: "Peter Jalajas, GigaLock Backup Services"
	<pjalajas at gigalock.com>
Subject: Re: [Box Backup] Certificate problems
To: Box Backup <boxbackup at boxbackup.org>
Message-ID:
	<CAL5zbj9O1bv8S6hPLgx+HAufu7GXsrjObFQ2Q7C_MGRJeyMzSw at mail.gmail.com>
Content-Type: text/plain; charset=windows-1252

Hi Tomas,

On Wed, Jul 13, 2011 at 9:34 AM, Tomas Nilsson <tomas.nilsson at westint.se> wrote:
...
> I still get an error saying "SSL error while accepting connection:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
...
> 3. Copy /certificates/ca/keys/serverRootKey.pem and
> /certificates/ca/keys/serverRootCSR.pem to /certificates
...
> 5. copy and rename Backup-cert.pem to /etc/boxbackup/bbstored/bkSrv.crt.pem
> 6. copy clientCA.pem to /etc/boxbackup/bbstored/clientCA.pem
> 7. copy and rename serverRootKey.pem to
> /etc/boxbackup/bbstored/bkSrv.key.pem

Just guessing, but maybe a owner or permissions issue on the certs?
Owners of bbackupd and bbstored processes need to be able to read the
certs. And do you have all the necessary files present on both sides?

On my client:
root      4107     1  0 Jul04 ?        00:01:07 bbackupd
-rw-r--r-- 1 root root 1021 2008-05-15 12:22 serverCA.pem
-rw-r--r-- 1 root root 1.7K 2008-08-01 12:06 10009999-key.pem
-rw-r--r-- 1 root root 1.0K 2009-09-17 10:08 10009999-FileEncKeys.raw
-rw-r--r-- 1 root root  997 2008-08-01 12:06 10009999-cert.pem

On my server:
root      1184     1  0 Jun11 ?        00:02:50 bbstored
root      1185  1184  6 Jun11 ?        2-04:12:13 bbstored
-rw-r--r-- 1 root root 1.7K 2011-01-03 15:01 srvr-key.pem
-rw-r--r-- 1 root root  981 2011-01-03 15:01 srvr-cert.pem
-rw-r--r-- 1 root root 1021 2011-01-03 15:01 clientCA.pem

(But I think I should make those permissions 600 on both the client
and server so that no other use can access them.)

> 12. Getting back 75AB23C-cert.pem and serverCA.pem from bkSrv and copies
> them to /etc/boxbackup/bbackupd/

Did copying tweak owner/perms?

...
> Error on client:
...
> ERROR:?? SSL error while connecting: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
...
> WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at
> SocketStreamTLS.cpp(212)
...
> Error on Server:
...
> ERROR:?? SSL error while accepting connection: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
...
> WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed) at
> SocketStreamTLS.cpp(207)
> FATAL:?? Terminating due to exception Connection TLSHandshakeFailed (7/30)
...
> It can?t be so that bkSrv needs a real certificate from VeriSign or a
> company like that, right?

Right, for sure. You do _not_ need a "real" certificate.

Hope that helps,
Pete


------------------------------

_______________________________________________
Boxbackup mailing list
Boxbackup at boxbackup.org
http://lists.boxbackup.org/cgi-bin/mailman/listinfo/boxbackup


End of Boxbackup Digest, Vol 20, Issue 5
****************************************



More information about the Boxbackup mailing list