[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setup NBD with TLS

Following the guide of nbdkit everything worked out.


On 16/07/2022 22:29, Turakar wrote:

An addition: A similar error occurs if only use encryption and no authentication:

$ nbd-client localhost /dev/nbd1 -N export -n -x
Negotiation: ..Error: Read failed: Connection reset by peer
E: received invalid negotiation magic 11567081237618425856 (expected 1100100111001001)

On 16/07/2022 14:40, Turakar wrote:


I am currently trying to setup nbd-server/nbd-client with TLS authentication, but I ran into some difficult error messages. If this is the wrong list for support, please feel free to redirect me.

I use one system (Debian 10) for both nbd-server and nbd-client for debugging, but want to move to separate hosts later. I used the following nbd-server config file:

       user = root
       group = root
       includedir = /etc/nbd-server/conf.d

       allowlist = true

# TLS setup
       force_tls = true
       cacertfile = /etc/nbd-server/certificates/ca.cert.pem
       certfile = /etc/nbd-server/certificates/server.cert.pem
       keyfile = /etc/nbd-server/certificates/server.key.pem

       exportname = /dev/system/nixos
       flush = true

I created the certificates as follows:

$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 36500 -key ca.key -out ca.cert.pem
$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509
-req -days 36500 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt
$ openssl genrsa -out client.key.pem 4096
$ openssl req -new -key -client.key.pem -out client.csr

openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -days 36500 -sha512 -out clien

And use the following command for testing the connection:

$ nbd-client -l localhost -certfile /etc/nbd-server/certificates/client.cert.
pem -keyfile /etc/nbd-server/certificates/client.key.pem -cacertfile /etc/nbd-server/certificates/ca.cert.pem -n
Negotiation: ..
Error: Reading magic from server: Connection reset by peer

Thereby, the server log says this:

Jul 16 14:21:28 mini systemd[1]: Started LSB: Network Block Device server.
Jul 16 14:21:30 mini nbd_server[26099]: Spawned a child process
Jul 16 14:21:30 mini nbd_server[26099]: Child exited with 1

Not that informative... Can someone of you spot the problem in my configuration?

Remarks: If I set force_tls = False and do not use the certificates with nbd-client, it works fine. However, I need TLS encryption for my use case.

Thank you and kind regards,

Reply to: