[Box Backup] Certificate information

Peter Jalajas, GigaLock Backup Services pjalajas at gigalock.com
Tue Nov 6 15:21:09 GMT 2012

On Mon, Nov 5, 2012 at 4:38 PM, Jan Haastrecht wrote:
> Hi,
> Can you please document the exact certificates (that is, file names with
> file format and by who they should be signed) that need to be in place on
> server and client to setup a working connection, such that
>  WARNING: Exception thrown: ConnectionException(Conn_TLSHandshakeFailed
> is not displayed in the logs?
> There are some scripts which do part of this now, but things would be much
> easier to understand if it was documented and instead of an exception like
> that, it would output error messages that are a bit more intelligible (cf.,
> "You are sending a certificate signed by organization X, but we require a
> certificate signed by organization Y. ").
> For example the scripts use 2048 bits keys now and a particular key type,
> but some users might want to change that.
> Jan

Hi Jan,

Does this help?:
See the section:  Example Configuration Output and especially the
"What you need to do now..." portion.
And similarly:

Things I've had problems with over the years include:
a)  Depending upon how you install and configure your boxbackup client
and server, you may need to look in "/etc/box/" or "/etc/boxbackup/".
The OS/Distribution packages have changed a bit over time, and may
install boxbackup slightly differently than if compiled from source,
and the documentation may not have been perfectly kept up.   For a
while, I was adding symbolic links between those directories.

b) The file ownership and permissions on the certs and their directory
paths need to be set such that they are readable by the bbackupd
(client) and bbstored (server) processes, respectively.  For example,
on page https://www.boxbackup.org/wiki/ConfiguringAServer, see the
bbstored-config command, and the "_bbstored" username option setting
there.  (Note that the certs should have very tight permissions to
avoid adversaries taking or modifying them, but still readable by the
server process user, "_bbstored" in this case.)

c) On page https://www.boxbackup.org/wiki/ConfiguringAServer, "Example
configuration output", "bbstored basic configuration complete.",
"What you need to do now...":
 1) Sign /etc/boxbackup/bbstored/server.example.com-csr.pem
    using the bbstored-certs utility.
note that that is done on the "certificate authority" (CA) machine.
Note that it wasn't clear to me for a while that the CA really should
be a separate, third, air-gapped machine, and thus possibly maybe
there should be a third software package in addition to these two:
    $ apt-cache search boxbackup
    boxbackup-client - client for the BoxBackup remote backup system
    boxbackup-server - server for the BoxBackup remote backup system

(Note also that over the years I've had problems with the installed
boxbackup binaries moving around to various places under /usr/
(local/?, bin/? sbin/?, can't remember) depending upon how I installed
boxbackup -- pay very close attention to the boxbackup script output
generated on _your_ machine (as opposed to what you read in the

(Note also that in my own ignorance, I would sometimes get confused
between the boxbackup "server" and the boxbackup "store"; they are the
same thing, and have nothing to do with any boxbackup client that
might happen to be a server-grade machine (human personnel at the
client shop may call it their "server", but it's a boxbackup client.)

(Note also the unspoken security problems with sending these
certificates securely between the CA, Client and Server...)

Maybe this high-level summary, focusing ONLY on certificates, might
help someone:

Using instructions from these 3 pages:

One time per CA/Server:
  1) Set up a separate air-gapped CA machine (install
boxbackup-server, run bbstored-certs ca init).  From my CA .../ca/
  Maybe someone can explain each of those files for us?
  2) Set up the internet-connected Server machine (install
boxbackup-server, run raidfile-config, bbstored-config).  Send
-csr.pem to CA.
  3) On the CA, sign the Server -csr.pem (bbstored-certs ca
sign-server).  Follow output instructions...(sorry I don't have them
  4) On the Server, place the CA-signed server certificate as
instructed by "What you need to do now..." from "bbstored-certs ca
sign-server".  From my /etc/boxbackup/bbstored.conf:
        CertificateFile =
/etc/boxbackup/bbstored/<servernickname>-cert.pem  <-- Server public
SSL cert, signed by CA, from CA "bbstored-certs ca sign-server"
        PrivateKeyFile =
/etc/boxbackup/bbstored/<servernickname>-key.pem    <-- Server private
SSL cert, from "bbstored-config"
        TrustedCAsFile = /etc/boxbackup/bbstored/clientCA.pem
      <-- CA root cert(?), from CA "bbstored-certs ca init"
  I believe that's true; someone please check.

Now you are ready to add one or more clients:
  5) On the Server, create a Client account (run bbstoreaccounts
create).  Inform Client of account number and server domain name or IP
  6) Set up the Client machine (run bbackupd-config).  If you want to
generate your own home-grown client certs with a different technique,
I think you can do that at this point (For example, before running
bbackupd-config, modify this line of that file by hand:
"if(system("openssl genrsa -out $private_key 2048") != 0)", or use a
completely different tool; I'm not sure what the limitations are
(could one use elliptic curve?).).  Send -csr.pem to CA (instructions
say server admin).
  7) On CA machine, check -csr.pem account number (how?), then sign
-csr.pem (bbstored-certs ca sign), then follow output instructions
(send "CA root"(?) and client cert to Client).
  8) On Client machine, install CA root and client cert as instructed.
 From my client /etc/box/bbackupd.conf (notice it's /etc/box/, not
    KeysFile = /etc/box/bbackupd/<AcctNo>-FileEncKeys.raw  <-- Client
private encryption key (from bbackupd-config, or home-grown)
    PrivateKeyFile = /etc/box/bbackupd/<AcctNo>-key.pem    <-- Client
private SSL cert (from bbackupd-config, or home-grown)
    CertificateFile = /etc/box/bbackupd/<AcctNo>-cert.pem  <-- Client
public SSL cert (from CA, bbstored-certs ca sign)
    TrustedCAsFile = /etc/box/bbackupd/serverCA.pem        <-- "CA
root"(?) (from CA, bbstored-certs ca sign)
  Again, someone should check my work here.

I hope at least part of that is helpful to someone.  Suggestions and
corrections welcome.  I can put this on the trac wiki if anyone thinks
it'll help.


More information about the Boxbackup mailing list