[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setup NBD with TLS

Glad to hear everything is sorted.

Could you clarify how you managed to fix it in the end? I'm trying to
figure out which part of the documentation is unclear, so we can clarify
that for future users.

On Wed, Jul 20, 2022 at 11:37:45AM +0200, Turakar wrote:
>    Following the guide of nbdkit everything worked out.
> 
>    [1]https://libguestfs.org/nbdkit-tls.1.html
> 
>    On 16/07/2022 22:29, Turakar wrote:
> 
>    An addition: A similar error occurs if only use encryption and no
>    authentication:
> 
>    $ nbd-client localhost /dev/nbd1 -N export -n -x
>    Negotiation: ..Error: Read failed: Connection reset by peer
>    E: received invalid negotiation magic 11567081237618425856 (expected
>    1100100111001001)
> 
>    On 16/07/2022 14:40, Turakar wrote:
> 
>    Hello,
> 
>    I am currently trying to setup nbd-server/nbd-client with TLS
>    authentication, but I ran into some difficult error messages. If this
>    is the wrong list for support, please feel free to redirect me.
> 
>    I use one system (Debian 10) for both nbd-server and nbd-client for
>    debugging, but want to move to separate hosts later. I used the
>    following nbd-server config file:
> 
>    [generic]
>           user = root
>           group = root
>           includedir = /etc/nbd-server/conf.d
>           allowlist = true
>    # TLS setup
>           force_tls = true
>           cacertfile = /etc/nbd-server/certificates/ca.cert.pem
>           certfile = /etc/nbd-server/certificates/server.cert.pem
>           keyfile = /etc/nbd-server/certificates/server.key.pem
>    [export]
>           exportname = /dev/system/nixos
>           flush = true
> 
>    I created the certificates as follows:
> 
>    $ openssl genrsa -des3 -out ca.key 4096
>    $ openssl req -new -x509 -days 36500 -key ca.key -out ca.cert.pem
>    $ openssl genrsa -out server.key 4096
>    $ openssl req -new -key server.key -out server.csr
>    $ openssl x509 -req -days 36500 -in server.csr -CA ca.cert.pem -CAkey
>    ca.key -CAcreateserial -out server.crt
>    $ openssl genrsa -out client.key.pem 4096
>    $ openssl req -new -key -client.key.pem -out client.csr
>    $ openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key
>    -CAcreateserial -days 36500 -sha512 -out clien
>    t.cert.pem
> 
>    And use the following command for testing the connection:
> 
>    $ nbd-client -l localhost -certfile
>    /etc/nbd-server/certificates/client.cert.
>    pem -keyfile /etc/nbd-server/certificates/client.key.pem -cacertfile
>    /etc/nbd-server/certificates/ca.cert.pem -n
>    Negotiation: ..
>    Error: Reading magic from server: Connection reset by peer
>    Exiting.
> 
>    Thereby, the server log says this:
> 
>    Jul 16 14:21:28 mini systemd[1]: Started LSB: Network Block Device
>    server.
>    Jul 16 14:21:30 mini nbd_server[26099]: Spawned a child process
>    Jul 16 14:21:30 mini nbd_server[26099]: Child exited with 1
> 
>    Not that informative... Can someone of you spot the problem in my
>    configuration?
> 
>    Remarks: If I set force_tls = False and do not use the certificates
>    with nbd-client, it works fine. However, I need TLS encryption for my
>    use case.
> 
>    Thank you and kind regards,
>    Turakar
> 
> Referenties
> 
>    1. https://libguestfs.org/nbdkit-tls.1.html

-- 
     w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
Reply to: