[Box Backup] RSA_padding_check_PKCS1_type_1:block type is not 01

cableninja at cableninja.net cableninja at cableninja.net
Mon Apr 8 17:54:44 BST 2013


Hi Chris,

>Note that you connected to backup01.cableninja.net, but the
certificate that you received was for backup02.cableninja.net. Unless 
the CAs are the same, that might be a problem, and it might
>indicate that the hostname changed or that some network trickery is
going on.

Hah, thank you for pointing this pointing this out to me, I apologize 
for all of the run around I've caused you. Since not all containers have 
a public IP, the private lan exists. As this is the case, hostnames 
resolve to an external IP, and that causes a whole mess of problems. I 
put the backup servers hostnames into the bbackupd's servers hosts file, 
turns out, I put the entries backwards. backup01 and backup02's last 
octet were backwards, backup01 should have been .101 where it was 
entered as .201

I just ran a test after adjusting the hosts file, I now get the following:

@db01:/# openssl s_client -connect backup01.cableninja.net:2201 > test01.out
depth=0 CN = backup01.cableninja.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = backup01.cableninja.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = backup01.cableninja.net
verify error:num=21:unable to verify the first certificate
verify return:1
140158446786216:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert 
handshake failure:s3_pkt.c:1256:SSL alert number 40
140158446786216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:177:


@db01:/# openssl s_client -cert /etc/boxbackup/bbackupd/0-cert.pem -key 
/etc/boxbackup/bbackupd/0-key.pem -CAfile 
/etc/boxbackup/bbackupd/serverCA.pem -connect 
backup01.cableninja.net:2201 > test01.out
depth=1 CN = Backup system server root
verify return:1
depth=0 CN = backup01.cableninja.net
verify return:1
^C

Now it looks like everything is exactly as its supposed to be! However...

When I start the client, I'm seeing the following on the backup server, 
it appears its still having problems.

Apr  8 10:39:40 backup01 bbstored[2475]: NOTICE: Message from child 
process 5712: Incoming connection from 10.1.10.251 port 49503
Apr  8 10:39:40 backup01 bbstored[5712]: ERROR: SSL error while 
accepting connection: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 
alert decrypt error
Apr  8 10:39:40 backup01 bbstored[5712]: WARNING: Exception thrown: 
ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(207)
Apr  8 10:39:40 backup01 bbstored[5712]: ERROR: Error in child process, 
terminating connection: exception Connection TLSHandshakeFailed(7/30)
Apr  8 10:39:45 backup01 bbstored[2475]: NOTICE: Message from child 
process 5713: Incoming connection from 10.1.10.250 port 40327
Apr  8 10:39:46 backup01 bbstored client=0000000000[5713]: NOTICE: Login 
from Client ID 0000000000 Read/Write
Apr  8 10:39:46 backup01 bbstored client=0000000000[5713]: NOTICE: 
Session finished for Client ID 0000000000
Apr  8 10:39:46 backup01 bbstored client=0000000000[5713]: NOTICE: 
Connection statistics for BACKUP-0: IN=105 OUT=172 TOTAL=277

I found the solution on the troubleshooting page here: 
http://www.boxbackup.org/wiki/Troubleshooting#TLSHandshakeFailed
but I'm not quite clear on how to generate a new server CA. I know how 
to do the rest of the solution. If you could give me some info here, I'd 
appreciate it.

Thank you again for your help. I'll submit another thread soon for what 
I believe are missing/incorrect post-install steps on the wheezy packages.

- Chris

On 04/08/2013 02:35 AM, Chris Wilson wrote:
> Hi Chris,
>
> On Sun, 7 Apr 2013, cableninja at cableninja.net wrote:
>
>>> Could you try this on your client, and let me know what the output is:
>>>
>>>  openssl s_client -connect backup01.cableninja.net:2201
>>
>> Below is the output of this command
>>
>> # openssl s_client -connect backup01.cableninja.net:2201 > test01.out
>> depth=0 CN = backup02.cableninja.net
>
> Note that you connected to backup01.cableninja.net, but the
> certificate that you received was for backup02.cableninja.net. Unless
> the CAs are the same, that might be a problem, and it might indicate
> that the hostname changed or that some network trickery is going on.
>
> Otherwise, it appears that bbstored is working properly on both
> systems, so the problem is likely to be in bbackupd or the network
> inbetween.
>
> I set up bbstored and bbackupd from Debian packages on a fresh 32-bit
> Wheezy server (both on the same server) and wasn't able to reproduce
> the problem. So either it's only in the 64-bit version of Wheezy, or
> it's in the network.
>
> Could you try making each machine back up to its local bbstored
> instead of the remote one, to eliminate the network?
>
>> Below is the output of the command with the cert/key/CAFile options
>>
>> # openssl s_client -cert /etc/boxbackup/bbackupd/0-cert.pem -key
>> /etc/boxbackup/bbackupd/0-key.pem -CAfile
>> /etc/boxbackup/bbackupd/serverCA.pem -connect
>> backup01.cableninja.net:2201 > test01.out
>> depth=1 CN = Backup system server root
>> verify return:1
>> depth=0 CN = backup02.cableninja.net
>> verify error:num=7:certificate signature failure
>> verify return:1
>> depth=0 CN = backup02.cableninja.net
>> verify return:1
>> 140498802353832:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert decrypt error:s3_pkt.c:1256:SSL alert number 51
>> 140498802353832:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:177:
>>
>> # cat test02.out
>> CONNECTED(00000003)
>> ---
>> Certificate chain
>> 0 s:/CN=backup02.cableninja.net
>>   i:/CN=Backup system server root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIICujCCAaICAQIwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
>> c3RlbSBzZXJ2ZXIgcm9vdDAeFw0xMzA0MDYwOTAyNDRaFw0yNjEyMTQwOTAyNDRa
>> MCIxIDAeBgNVBAMMF2JhY2t1cDAyLmNhYmxlbmluamEubmV0MIIBIjANBgkqhkiG
>> 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA873ol7cKT7KZ4lHqV2OOqjv/XTrEMIUO87Cf
>> 3jx2G2ekFe0KSmhSLvCONCA/LqT21nHiHGotiBQcZq1r9KNM8Zv3vSBXKDMIr0EW
>> vVAzba0/YQLTyXbYCG7f4+y7iEszGQsYLjm5mTkPXbEX7iPNHi5fgcnfiY7D5YtL
>> wpdm3beirLR/l4PmOIJF8EeFxPUmLg/E9ZdbKLAAYEtPT4x2Y6FVUArkbZF+iag1
>> dIHDUsE3KqRSsWlL5N32GNYJmF1fW9S99/vFxeJMdIRqe//XHA4gzxqd5paf+uCG
>> XV8JkKmgwPzpSGlAtlVIaS2X87Oqr63d7uMJ1mulRVp6OuO3SwIDAQABMA0GCSqG
>> SIb3DQEBBQUAA4IBAQCmV2FOLkOCjv8yZ1Uj1aFu5hu9sX/LnEP0mSCZcbsCjUpv
>> V9L1RQVPaH7K6kxWrF0rlWsktSx9f3AIfQYQyqRi/iuTe08MHYgUFfFbdZ2rGxmR
>> 7YNsSBAijmnG+0kSa/AlgatPrAUMn71LyVacEJ3wCsKSu4fi8rgw8k5fFLf0JB47
>> ESxmKe2qH6pSlwvoyJO2vDd8o7mod6AtEsFN2s8tS1AlKGSli3RmLVYqyz/C5wDb
>> XM0XlC9WSYUMnctpEktRZbDd6Hpb3dfBCZHXhZWBE7SaYqWPKCic8zuDLH235xCw
>> irDywQDGUlZnjTqDUdmzuYPSsjkY01e7cTUJOBzm
>> -----END CERTIFICATE-----
>> subject=/CN=backup02.cableninja.net
>> issuer=/CN=Backup system server root
>> ---
>>
>> I'm not too familiar with openssl, but it appears to me that theres
>> something wrong with my serverCA? or my certificates in general?
>
> I think so too (in addition to the padding error). Are both your
> server certificates signed by the same CA?
>
>> I've just nuked all of my configs and certs, I'm currently trying
>> again from scratch. I'll update when I have tried all possibilities
>> and what we've got.
>>
>>> Unless something obvious comes up, I think I'm going to have to
>>> reproduce
>> the problem.
>>
>> I can provide test containers for you, even give you access to these
>> existing ones, if you dont have an existing setup similar to what I
>> have, to test on. Let me know if you'd like me to do so.
>>
>> Thanks for your time/help.
>
> Thanks for your patience and investigation :)
>
> Cheers, Chris.




More information about the Boxbackup mailing list