Hello,
I am currently trying to setup nbd-server/nbd-client with TLS authentication, but I ran into some difficult error messages. If this is the wrong list for support, please feel free to redirect me.
I use one system (Debian 10) for both nbd-server and nbd-client for debugging, but want to move to separate hosts later. I used the following nbd-server config file:
[generic]
user = root
group = root
includedir = /etc/nbd-server/conf.d
allowlist = true
# TLS setup
force_tls = true
cacertfile = /etc/nbd-server/certificates/ca.cert.pem
certfile = /etc/nbd-server/certificates/server.cert.pem
keyfile = /etc/nbd-server/certificates/server.key.pem
[export]
exportname = /dev/system/nixos
flush = true
I created the certificates as follows:
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 36500 -key ca.key -out
ca.cert.pem
$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days
36500 -in server.csr -CA ca.cert.pem -CAkey ca.key
-CAcreateserial -out server.crt
$ openssl genrsa -out client.key.pem 4096
$ openssl req -new -key -client.key.pem -out client.csr
$ openssl
x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key
-CAcreateserial -days 36500 -sha512 -out clien
t.cert.pem
And use the following command for testing the connection:
$ nbd-client
-l localhost -certfile
/etc/nbd-server/certificates/client.cert.
pem -keyfile /etc/nbd-server/certificates/client.key.pem
-cacertfile /etc/nbd-server/certificates/ca.cert.pem -n
Negotiation:
..
Error: Reading magic from server: Connection reset by peer
Exiting.
Thereby, the server log says this:
Jul 16
14:21:28 mini systemd[1]: Started LSB: Network Block Device
server.
Jul 16 14:21:30 mini nbd_server[26099]: Spawned a child process
Jul 16 14:21:30 mini nbd_server[26099]: Child exited with 1
Not that informative... Can someone of you spot the problem in my configuration?
Remarks: If I set force_tls = False and do not use the
certificates with nbd-client, it works fine. However, I need TLS
encryption for my use case.
Thank you and kind regards,
Turakar