3 Client PCs Backup To Repository Server - How To?

image1011×604 60 KB

kopia server user add bob@desktop345abc ---config-file=/path/to/my/backup.config --user-password=bobsconnectpassword --password=repopassword

The above kopia server user add… replied with:

Updated user credentials will take effect in 5-10 minutes or when the server is restarted. To refresh credentials in a running server use ‘kopia server refresh’ command.

So I figured I’d move things along and tried kopia server refresh… That command seems to require a --server-control-username and --server-control-password yet I could not find how/where these credentials are ever created. Could use guidance there for one item.

I then install the Windows GUI client on one of the PC’s and feel the best choice must be the Kopia Repository Server as shown below:

image761×327 15.7 KB

It then prompts me for the server address which I know, however I have no idea how to produce this trusted server certificate fingerprint or is even needed, or is it an alternative to the path?

I then move forward and initially it throws this error:
dns resolver: missing port after port-separator colon
However I am using nginx reverse proxy and as a result a url only. That said, I realized I could not get past this without entering a port. So I appended the correct :xxxx

Then it comes to a new error
unable to initialize session: rpc error: code = PermissionDenied desc = access denied for Bob@Desktop345ABC: EOF

I noticed it automatically used the capitalized username of the PC ie; Bobs@ but when typing the earlier command kopia server user add it required all lowercase of the user information. Not sure if that plays into that permission error.

So then switch the url being used to the IP address of the server xxx.xx.xx.xxx:portnum and I’m getting the message
rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.5 because it doesn't contain any IP SANs"

In the end I was never able to connect to the repo. I cannot find clear documentation on this part of the process and was wondering if anyone here has been down this road and can offer their expertise.

What sayeth the group?

Thanks.

Jay / CompuMatter

Have a look here

Thank you. I had previously discovered that post. It appears to demonstrate server-control-password being assigned to a temporary environment variable and --server-control-username passed within the starting of the server but beyond that does not explain in the least of ways where either are being used and why one is being passed as a temp environment variable.

In my setup it seems the only place I use “kopia server start…” is in starting the webui environment. Should I be passing --server-username= --server-password= when starting the webgui to provide those values the kopia server refresh will be needing?

I was looking for some definitive clarity on the subject.

KOPIA_PASSWORD="<password-for-the-repository>" \
KOPIA_SERVER_CONTROL_PASSWORD="<server-control-password>" \
  kopia server start \
    --tls-generate-cert \
    --tls-cert-file ~/my.cert \
    --tls-key-file ~/my.key \
    --address 0.0.0.0:51515 \
    --server-control-username control

When it starts first time it will display fingerprint you are asking about. So start first time from command line, take note and then remove options to generate certificates (as per docs) for subsequent starts:

Note that when starting the server again the –tls-generate-cert must be omitted, otherwise the server will fail to start.

Other option is to retrieve fingerprint later:

$ openssl x509 -in ~/my.cert -noout -fingerprint -sha256 | sed 's/://g' | cut -f 2 -d =

Without fingerprint client can not authenticate the SSL session.

I can only guess that idea behind it was to have some certificates validation and make it simple. Using basic fingerprint is easier (and good enough) than creating certification authority certs and building chain of trust on both server and client etc.

Thanks. The only place I use a kopia server start command is via a systemd service to start the webgui for the browser based view which looks like this:

ExecStart=/usr/bin/kopia server start --address=http://0.0.0.0:${web_port} --log-file=${log_file} --config-file=${config_file} -p ${password} --tls-cert-file=/etc/letsencrypt/live/${server_domain}/fullchain.pem --tls-key-file=/etc/letsencrypt/live/${server_domain}/privkey.pem --server-username=${web_gui_username} --server-password=${web_gui_password} --description='{$backup_description}'

So in my case I think you are saying I retreive the fingerprint running

openssl x509 -in /etc/letsencrypt/live/${server_domain}/fullchain.pem -noout -fingerprint -sha256 | sed 's/://g' | cut -f 2 -d =

This does in fact return a string

OK thanks in large part to @kapitainsky I’ve got the clients connected to the repository server. I created a short video which should benefit new Kopia adoptees in getting through that process: