[Box Backup] Invalid signed Box Backup server certificate

Chris Wilson chris+google at qwirx.com
Mon Feb 10 21:12:26 GMT 2020 

Hi Jack,

I think I found the problem. The bbstored-config command asked you to do
this:

1) Sign /etc/boxbackup/bbstored/JaxToyMB-csr.pem
   using the bbstored-certs utility.


But instead you did this:


# bbstored-certs CA sign-server CA/keys/serverRootCSR.pem

# cp -p CA/servers/Backup-cert.pem /etc/boxbackup/bbstored/JaxToyMB-csr.pem


This will install an incorrectly-signed server master CA certificate (which
would normally be used to sign server certificates) as the server's own
certificate (which it should use to authenticate itself to clients). That
certificate does not match the key which bbstored-config generated for the
server (in /etc/boxbackup/bbstored/localhost-key.pem), and it detects that
and refuses to start.

Could you try signing the certificate request in
/etc/boxbackup/bbstored/JaxToyMB-csr.pem and installing the resulting
certificate instead?

Were you following some instructions which are incorrect and should be
updated or clarified?

Thanks, Chris.

On Sun, 9 Feb 2020 at 16:25, Jack Warkentin <jwark at bellaliant.net> wrote:

> Hi Chris
>
> Thank you for your prompt reply to my message. I should have provided
> the following information in my original posting.
>
> $ uname -a
> Linux JaxToyMB 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2
> (2019-11-11) x86_64 GNU/Linux
>
> As you can see from the attached sources.list file, I am running Debian
> buster plus a few packages from Devuan beowulf. Since I am running
> without systemd, I needed a source for XFCE that didn't depend on
> systemd, hence my use of Devuan.
>
> But the version of Box Backup I am using is from Debian's experimental
> stream. Because of the change in Debian to the higher security level, I
> wanted a version that would use that higher security level, and the
> experimental version seemed the most likely version to include that.
>
> $ dpkg-query -l 'boxbackup*'
> Desired=Unknown/Install/Remove/Purge/Hold
> |
>
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name             Version                      Architecture Description
> +++-================-============================-============-=========
> ii  boxbackup-server 0.13~~git20190527.g039c4a1-2 amd64        server
> for the BoxBackup remote backup system
>
> If I had got that far, the client version would have been
>
> boxbackup-client_0.13~~git20190527.g039c4a1-2_amd64.deb
>
> As you can see from the file I attached to my first email, all the
> dependencies for the experimental boxbackup-server version were already
> met by my system. I didn't have to find newer versions of any other
> packages in order for the experimental boxbackup-server version to be
> installed.
>
> The other available versions from Debian are listed in the other
> attached file.
>
> I hope this helps.
>
> Regards
>
> Jack
>
>
> Chris Wilson wrote:
> > Hi Jack,
> >
> > I'm sorry you had a bad experience with the installation. I think that
> > the version you installed does not have the fix to Debian bug 907135,
> > which may well be causing your issues. I'm surprised that you didn't get
> > a more recent version with the fix (Git commit 55aacf5 or later) -
> > perhaps it has not been pushed out to Debian mainstream. I'm copying our
> > Debian package maintainer for help with that. Which version of Debian do
> > you have installed? And do you have the backports repo enabled?
> >
> > Thanks, Chris.
> >
> > On Fri, 7 Feb 2020 at 20:17, Jack Warkentin <jwark at bellaliant.net
> > <mailto:jwark at bellaliant.net>> wrote:
> >
> >     Hi
> >
> >     I have been having difficulty install Box Backup on my Debian system.
> >     This morning I did a complete reinstall of both the server and the
> >     client. I didn't check the logs after starting the server, but when I
> >     had everything apparently successfully installed I discovered that
> the
> >     server would not start properly.
> >
> >     So I purged the client and server packages and did a complete
> reinstall
> >     of the server. After trying to start the server I checked the logs
> and
> >     discovered these error messages.
> >
> >     Feb  7 14:24:08 JaxToyMB bbstored[22790]: ERROR: SSL or crypto error:
> >     loading private key: error:0B080074:x509 certificate
> >     routines:X509_check_private_key:key values mismatch
> >     Feb  7 14:24:08 JaxToyMB bbstored[22790]: WARNING: Exception thrown:
> >     ServerException(TLSLoadPrivateKeyFailed) (Failed to load private key
> >     from /etc/boxbackup/bbstored/JaxToyMB-key.pem: error:0B080074:x509
> >     certificate routines:X509_check_private_key:key values mismatch) at
> >     lib/server/TLSContext.cpp:140
> >     Feb  7 14:24:08 JaxToyMB bbstored[22790]: FATAL: Terminating due to
> >     exception TLSLoadPrivateKeyFailed: Failed to load private key from
> >     /etc/boxbackup/bbstored/JaxToyMB-key.pem: error:0B080074:x509
> >     certificate routines:X509_check_private_key:key values mismatch
> (3/26)
> >
> >     These were the same errors that occurred during the previous attempt.
> >
> >     Since I had just gone through what I thought was a perfect
> >     installation,
> >     I have no understanding of how this could have happened.
> >
> >     I have attached a file containing the complete record of the latest
> >     attempt. It has long lines, some greater than 190 chars (the max my
> >     screen can hold). Any help you can give as to what I am doing wrong
> >     would be much appreciated.
> >
> >     Regards
> >
> >     Jack
> >
> >     Jack Warkentin, phone 902-404-0457, email jwark at bellaliant.net
> >     <mailto:jwark at bellaliant.net>
> >     39 Inverness Avenue, Halifax, Nova Scotia, Canada, B3P 1X6
> >     _______________________________________________
> >     Boxbackup mailing list
> >     Boxbackup at boxbackup.org <mailto:Boxbackup at boxbackup.org>
> >     http://lists.boxbackup.org/mailman/listinfo/boxbackup
> >
> >
> >
> > _______________________________________________
> > Boxbackup mailing list
> > Boxbackup at boxbackup.org
> > http://lists.boxbackup.org/mailman/listinfo/boxbackup
> >
>
> --
> Jack Warkentin, phone 902-404-0457, email jwark at bellaliant.net
> 39 Inverness Avenue, Halifax, Nova Scotia, Canada, B3P 1X6
> _______________________________________________
> Boxbackup mailing list
> Boxbackup at boxbackup.org
> http://lists.boxbackup.org/mailman/listinfo/boxbackup
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.boxbackup.org/pipermail/boxbackup/attachments/20200210/bf69a1a1/attachment-0001.html>

More information about the Boxbackup mailing list