[Box Backup] Debian Wheezy package/configuration confusion

cableninja at cableninja.net cableninja at cableninja.net
Wed Apr 10 13:34:34 BST 2013


Hello all,

Before I begin, I finally have functioning backups on multiple servers 
working (after many nights of head bashing) and, though the pain of 
setting it up, so far, I enjoy boxbackup! Thank you all for the help in 
getting it going in the other thread I had going. I've determined where 
most of the problems have been stemming from. It turns out a lot of my 
problems were due to path confusion using the bb* tools. I mentioned I 
would follow up regarding the issues I noticed, so here we are.

Debian Wheezy with backports amd x64, kernel 3.2.0-4-amd64

root at test01:/etc/boxbackup# bbstored --version
0.11rc8+2837
root at test01:/etc/boxbackup# bbackupd --version
0.11rc8+2837

Problem 1:
Problematic unless, die function in bbstored-certs
/usr/bin/bbstored-certs @ line85:
<elsif($command eq 'sign') {&cmd_sign;}
<elsif($command eq 'sign-server') {&cmd_sign_server;}
<else
<{
<        die "Unknown command $command"
<}
<
<sub cmd_init
<{
<        # create directories
<        unless(mkdir($cert_dir,0700)
<                && mkdir($cert_dir.'/roots',0700)
<                && mkdir($cert_dir.'/keys',0700)
<                && mkdir($cert_dir.'/servers',0700)
<                && mkdir($cert_dir.'/clients',0700))
<        {
<                die "Failed to create directory structure"
<        }
<
<       # create root keys and certrs
<        cmd_init_create_root('client');
<        cmd_init_create_root('server');
<}
 >elsif($command eq 'sign-server') {&cmd_sign_server;}
 >else
 >{
 >        die "Unknown command $command"
 >}
 >
 >sub cmd_init
 >{
 >        # create directories
 >#       unless(
 >                mkdir($cert_dir,0700);
 >                mkdir($cert_dir.'/roots',0700);
 >                mkdir($cert_dir.'/keys',0700);
 >                mkdir($cert_dir.'/servers',0700);
 >                mkdir($cert_dir.'/clients',0700);#)
 >#       {
 >#               die "Failed to create directory structure"
 >#       }
 >
 >        # create root keys and certrs
 >        cmd_init_create_root('client');
 >        cmd_init_create_root('server');
 >}

I was required to comment out/adjust the 'unless()' function because 
this would fail if the directories existed or not.

Problem 2:
bbstored-config/bbstored-certs confusion

 ># bbstored-config /etc/boxbackup test01.cableninja.net bbstored 
/etc/boxbackup/raidfile.conf           [145/897]
 >Checking permissions on //backup
 >Checking permissions on //backup
 >Checking permissions on //backup
 >
 >Setup bbstored config utility.
 >
 >Configuration:
 >   Writing configuration file: /etc/boxbackup/bbstored.conf
 >   Writing empty accounts file: /etc/boxbackup/bbstored/accounts.txt
 >   Server hostname: test01.cableninja.net
 >   RaidFile config: /etc/boxbackup/raidfile.conf
 >
 >Creating blank accounts file
 >Generating private key...
 >Generating RSA private key, 2048 bit long modulus
 >.+++
 >............................+++
 >e is 65537 (0x10001)
 >You are about to be asked to enter information that will be incorporated
 >into your certificate request.
 >What you are about to enter is what is called a Distinguished Name or 
a DN.
 >There are quite a few fields but you can leave some blank
 >For some fields there will be a default value,
 >If you enter '.', the field will be left blank.
 >-----
 >Country Name (2 letter code) [AU]:State or Province Name (full name) 
[Some-State]:Locality Name (eg, city) []:Organization Na
 >me (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name 
(eg, section) []:Common Name (e.g. server FQDN or YOUR n
 >ame) []:Email Address []:
 >Please enter the following 'extra' attributes
 >to be sent with your certificate request
 >A challenge password []:An optional company name []:
 >
 >Writing configuration file /etc/boxbackup/bbstored.conf
 >
 >
 >===================================================================
 >bbstored basic configuration complete.
 >
 >What you need to do now...
 >
 >1) Sign /etc/boxbackup/bbstored/test01.cableninja.net-csr.pem
 >   using the bbstored-certs utility.
 >
 >2) Install the server certificate and root CA certificate as
 >      /etc/boxbackup/bbstored/test01.cableninja.net-cert.pem
 >      /etc/boxbackup/bbstored/clientCA.pem
 >
 >3) You may wish to read the configuration file
 >      /etc/boxbackup/bbstored.conf
 >   and adjust as appropraite.
 >
 >4) Create accounts with bbstoreaccounts
 >
 >5) Start the backup store daemon with the command
 >      /usr/local/sbin/bbstored
 >   in /etc/rc.local, or your local equivalent.
 >
 >===================================================================
 >
 >root at test01:/# cd /etc/boxbackup/
 >root at test01:/etc/boxbackup# ls -alh
 >total 24K
 >drwxr-xr-x  4 root root 4.0K Apr 10 13:57 .
 >drwxr-xr-x 52 root root 4.0K Apr 10 13:49 ..
 >drwxr-xr-x  2 root root 4.0K Oct 28  2011 bbackupd
 >drwxr-xr-x  2 root root 4.0K Apr 10 13:57 bbstored
 >-rw-r--r--  1 root root  620 Apr 10 13:57 bbstored.conf
 >-rw-r--r--  1 root root   75 Apr 10 13:56 raidfile.conf
 >root at test01:/etc/boxbackup# cd bbstored/
 >root at test01:/etc/boxbackup/bbstored# ls -alh
 >total 16K
 >drwxr-xr-x 2 root root 4.0K Apr 10 13:57 .
 >drwxr-xr-x 4 root root 4.0K Apr 10 13:57 ..
 >-rw-r--r-- 1 root root    0 Apr 10 13:57 accounts.txt
 >-rw-r--r-- 1 root root  907 Apr 10 13:57 test01.cableninja.net-csr.pem
 >-rw-r--r-- 1 root root 1.7K Apr 10 13:57 test01.cableninja.net-key.pem
 >root at test01:/etc/boxbackup/bbstored# bbstored-certs /etc/boxbackup init
 >Generating RSA private key, 2048 bit long modulus
 >.............+++
 >.............................................................................................................+++
 >e is 65537 (0x10001)
 >You are about to be asked to enter information that will be incorporated
 >into your certificate request.
 >What you are about to enter is what is called a Distinguished Name or 
a DN.
 >There are quite a few fields but you can leave some blank
 >For some fields there will be a default value,
 >If you enter '.', the field will be left blank.
 >-----
 >Country Name (2 letter code) [AU]:State or Province Name (full name) 
[Some-State]:Locality Name (eg, city) []:Organization Na
 >me (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name 
(eg, section) []:Common Name (e.g. server FQDN or YOUR n
 >ame) []:Email Address []:
 >Please enter the following 'extra' attributes
 >to be sent with your certificate request
 >A challenge password []:An optional company name []:
 >
 >Signature ok
 >subject=/CN=Backup system client root
 >Getting Private key
 >Generating RSA private key, 2048 bit long modulus
 >............................................+++
 >...................................................+++
 >e is 65537 (0x10001)
 >You are about to be asked to enter information that will be incorporated
 >into your certificate request.
 >What you are about to enter is what is called a Distinguished Name or 
a DN.
 >There are quite a few fields but you can leave some blank
 >For some fields there will be a default value,
 >If you enter '.', the field will be left blank.
 >-----
 >Country Name (2 letter code) [AU]:State or Province Name (full name) 
[Some-State]:Locality Name (eg, city) []:Organization Na
 >me (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name 
(eg, section) []:Common Name (e.g. server FQDN or YOUR n
 >ame) []:Email Address []:
 >Please enter the following 'extra' attributes
 >to be sent with your certificate request
 >A challenge password []:An optional company name []:
 >
 >Signature ok
 >subject=/CN=Backup system server root
 >Getting Private key
 >root at test01:/etc/boxbackup/bbstored# ls -alh
 >total 16K
 >drwxr-xr-x 2 root root 4.0K Apr 10 13:57 .
 >drwxr-xr-x 8 root root 4.0K Apr 10 13:58 ..
 >-rw-r--r-- 1 root root    0 Apr 10 13:57 accounts.txt
 >-rw-r--r-- 1 root root  907 Apr 10 13:57 test01.cableninja.net-csr.pem
 >-rw-r--r-- 1 root root 1.7K Apr 10 13:57 test01.cableninja.net-key.pem
 >root at test01:/etc/boxbackup/bbstored# cd ../
 >root at test01:/etc/boxbackup# ls -alh
 >total 40K
 >drwxr-xr-x  8 root root 4.0K Apr 10 13:58 .
 >drwxr-xr-x 52 root root 4.0K Apr 10 13:49 ..
 >drwxr-xr-x  2 root root 4.0K Oct 28  2011 bbackupd
 >drwxr-xr-x  2 root root 4.0K Apr 10 13:57 bbstored
 >-rw-r--r--  1 root root  620 Apr 10 13:57 bbstored.conf
 >drwx------  2 root root 4.0K Apr 10 13:58 clients
 >drwx------  2 root root 4.0K Apr 10 13:58 keys
 >-rw-r--r--  1 root root   75 Apr 10 13:56 raidfile.conf
 >drwx------  2 root root 4.0K Apr 10 13:58 roots
 >drwx------  2 root root 4.0K Apr 10 13:58 servers
 >root at test01:/etc/boxbackup# ls -alh roots/
 >total 24K
 >drwx------ 2 root root 4.0K Apr 10 13:58 .
 >drwxr-xr-x 8 root root 4.0K Apr 10 13:58 ..
 >-rw-r--r-- 1 root root 1021 Apr 10 13:58 clientCA.pem
 >-rw-r--r-- 1 root root    3 Apr 10 13:58 clientCA.srl
 >-rw-r--r-- 1 root root 1021 Apr 10 13:58 serverCA.pem
 >-rw-r--r-- 1 root root    3 Apr 10 13:58 serverCA.srl
 >root at test01:/etc/boxbackup# ls -alh bbstored/
 >total 16K
 >drwxr-xr-x 2 root root 4.0K Apr 10 13:57 .
 >drwxr-xr-x 8 root root 4.0K Apr 10 13:58 ..
 >-rw-r--r-- 1 root root    0 Apr 10 13:57 accounts.txt
 >-rw-r--r-- 1 root root  907 Apr 10 13:57 test01.cableninja.net-csr.pem
 >-rw-r--r-- 1 root root 1.7K Apr 10 13:57 test01.cableninja.net-key.pem
 >root at test01:/etc/boxbackup# cat bbstored.conf | grep clientCA
 >        TrustedCAsFile = /etc/boxbackup/bbstored/clientCA.pem

Note above that the clientCA is actually in 
/etc/boxbackup/roots/clientCA.pem instead of what bbstored-config 
actually sets it to (bbstored/clientCA.pem).

 ># bbstored-certs /etc/boxbackup sign-server 
bbstored/test01.cableninja.net-csr.pem
 >
 >This certificate is for backup server
 >
 >   test01.cableninja.net
 >
 >Signing the wrong certificate compromises the security of your backup 
system.
 >
 >Would you like to sign this certificate? (type 'yes' to confirm)
 >yes
 >Signature ok
 >subject=/CN=test01.cableninja.net
 >Getting CA Private Key
 >
 >
 >Certificate signed.
 >
 >Install the files
 >
 >   /etc/boxbackup/servers/test01.cableninja.net-cert.pem
 >   /etc/boxbackup/roots/clientCA.pem
 >
 >on the server.

Again, here bbstored-certs references roots/clientCA.pem

 ># bbstored-certs /etc/boxbackup sign clients/0-csr.pem
 >
 >This certificate is for backup account
 >
 >   0
 >
 >Ensure this matches the account number you are expecting. The filename is
 >
 >   clients/0-csr.pem
 >
 >which should include this account number, and additionally, you should 
check
 >that you received it from the right person.
 >
 >Signing the wrong certificate compromises the security of your backup 
system.
 >
 >Would you like to sign this certificate? (type 'yes' to confirm)
 >yes
 >Signature ok
 >subject=/CN=BACKUP-0
 >Getting CA Private Key
 >
 >
 >Certificate signed.
 >
 >Send the files
 >
 >   /etc/boxbackup/clients/0-cert.pem
 >   /etc/boxbackup/roots/serverCA.pem
 >
 >to the client.

these commands also seem to be based off of where you run them. I ran 
them in /etc/boxbackup/bbstored/ on my past installations that are now 
working, it created the clients, keys, servers, roots, folders in 
bbstored instead of /etc/boxbackup/, like it did this time (this doesnt 
seem logical, some form of default standard should exist).

Problem 3:
Jumbled help in bbackupd-config
 ># bbackupd-config
 >
 >Setup bbackupd config utility.
 >
 >Bad command line parameters.
 >Usage:
 >    bbackupd-config config-dir backup-mode account-num server-hostname
 >        working-dir [backup directories]
 >
 >Parameters:
 >    config-dir          is usually /etc/boxbackup
 >    backup-mode         is lazy or snapshot:
 >        lazy mode       runs continously, uploading files over a 
specified age
 >        snapshot mode   uploads a snapshot of the filesystem when 
instructed
 >                        explicitly, using bbackupctl sync
 >    account-num (hexdecimal) and server-hostname
 >                        are supplied by the server administrator
 >    working-dir         is usually /var/bbackupd
 >    backup directories  is list of directories to back up

the line " account-num (hexdecimal) and server-hostname" - this should 
be on separate lines, it causes confusion (I missed it the first 3 times 
I tried to run the command).
the line "working-dir         is usually /var/bbackupd" - this directory 
isnt even created in the debian wheezy packages.

 ># bbackupd-config /etc/boxbackup snapshot 0 test01.cableninja.net / /
 >It is not recommended that you backup the root directory of your disc 
at /usr/sbin/bbackupd-config line 103.

This warning should have an override, or should not complain at all.

Problem 4:
Bad directory entries in bbackupd.conf after bbackupd-config

 > PidFile = //bbackupd.pid

My guess is this relates to the working directory/"DirectoryPath" config 
option. However, I've had no luck getting them to correlate properly and 
always end up with either nothing but dual slashes (as noted) or a path 
like /var/run//bbackupd.pid, even without a trailing slash.


Lastly, I would like to propse that you guys begin making errors more 
descriptive, while 'exception X thrown @ y' are somewhat useful, they 
unfortunately dont really give insight into the real problem. Today I 
was getting the following error:

 >Apr 10 03:45:25 backup02 bbstored[3494]: NOTICE: Message from child 
process 7718: Incoming connection from 10.1.10.251 port 57633
 >Apr 10 03:45:25 backup02 bbstored[7718]: ERROR: SSL error while 
accepting connection: error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
 >Apr 10 03:45:25 backup02 bbstored[7718]: ERROR: SSL error while 
accepting connection: error:04067072:rsa 
routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
 >Apr 10 03:45:25 backup02 bbstored[7718]: ERROR: SSL error while 
accepting connection: error:0D0C5006:asn1 encoding 
routines:ASN1_item_verify:EVP lib
 >Apr 10 03:45:25 backup02 bbstored[7718]: ERROR: SSL error while 
accepting connection: error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
 >Apr 10 03:45:25 backup02 bbstored[7718]: WARNING: Exception thrown: 
ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(207)
 >Apr 10 03:45:25 backup02 bbstored[7718]: ERROR: Error in child 
process, terminating connection: exception Connection 
TLSHandshakeFailed(7/30)

 >Apr 10 03:54:54 backup02 bbstored[3494]: NOTICE: Message from child 
process 7867: Incoming connection from 10.1.10.251 port 57641
 >Apr 10 03:54:54 backup02 bbstored[7867]: ERROR: SSL error while 
accepting connection: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 
alert decrypt error
 >Apr 10 03:54:54 backup02 bbstored[7867]: WARNING: Exception thrown: 
ConnectionException(Conn_TLSHandshakeFailed) at SocketStreamTLS.cpp(207)
 >Apr 10 03:54:54 backup02 bbstored[7867]: ERROR: Error in child 
process, terminating connection: exception Connection 
TLSHandshakeFailed(7/30)

After repeatedly re-signing the certificates to attempt to fix the first 
block of errors, I finally was only being given the second block. After 
slamming hammers in the dark, I finally determined that it was because I 
had copied the clientCA.pem instead of the serverCA.pem to the client 
system. Most of the resolution was in 99% guesswork.

I also seem to run into permissions problems on the backup location. It 
seems like this is something that should be handled by raidfile-config 
or bbstoreaccounts.

AAAAAANNNND Lastly, one final suggestion, (if it exists already, 
apologies), being able to restore modified files from  X days ago (may X 
be configurable?)

Anyway, keep up the good work, looking forward to advances in this 
software for sure!

Thanks,

- Chris



More information about the Boxbackup mailing list