Hello!
I'm new to this list, but I got a lot of time invested in this. Any
pointers much appreciated...
I'm trying to get bacula to work using TLS.
Running Gentoo Linux.
I have started out trying to backup the same host as the one the
director's residing on. IE dir, sd and fd on the same host.
All is dandy with an ordinary setup ( no TLS )
Bacula version 1.38.5
Relevant config as follows (tried to follow
http://sourceforge.net/mailarchive/forum.php?thread_id=8938828&forum_id=8650
) :
/////////// start config files
bconsole.conf:
Director {
Name = xxxxx-dir
....
TLS Require = yes
TLS CA Certificate File = /etc/bacula/master.cert
TLS Certificate = /etc/ssl/xxxxx/cert.pem
TLS Key = /etc/ssl/xxxxx/key.pem
}
bacula-dir.conf:
Director { # define
myself
Name = xxxxx-dir
....
TLS Enable = yes
TLS Verify Peer = yes
TLS Allowed CN = "this.example.cxx"
TLS CA Certificate File = /etc/bacula/master.cert
# # This is a server certificate, used for
incoming
# # console
connections.
TLS Certificate = /etc/ssl/xxxxx/cert.pem
TLS Key = /etc/ssl/xxxxx/key.pem
}
.....
Client {
Name = xxxxx-fd
Address = this.example.cxx
....
TLS Require = yes
TLS CA Certificate File = /etc/bacula/master.cert
# This is a client certificate, used by the director
to
# connect to the remote file
daemon.
TLS Certificate = /etc/ssl/xxxxx/cert.pem
TLS Key = /etc/ssl/xxxxx/key.pem
}
bacula-fd.conf:
Director {
Name = xxxxx-dir
.....
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to
connect
TLS Allowed CN = "this.example.cxx"
TLS CA Certificate File = /etc/bacula/master.cert
# This is a server certificate. It is used by
connecting
# directors to verify the authenticity of this file
daemon
TLS Certificate = /etc/ssl/xxxxx/cert.pem
TLS Key = /etc/ssl/xxxxx/key.pem
}
bacula-sd.conf:
Storage { # definition of
myself
Name = xxxxx-sd
.....
# These TLS configuration options are used for
incoming
# file daemon connections. Director TLS settings are
handled
#
below.
TLS Enable = yes
# Peer certificate is not required/requested -- peer
validity
# is verified by the storage connection cookie provided to
the
# File Daemon by the
director.
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/master.cert
# This is a server certificate. It is used by
connecting
# file daemons to verify the authenticity of this storage
daemon
TLS Certificate = /etc/ssl/xxxxx/cert.pem
TLS Key = /etc/ssl/xxxx/key.pem
}
.....
Director {
Name = xxxxx-dir
.....
TLS Require = yes
# # Require the connecting director to provide a
certificate
# # with the matching
CN.
TLS Verify Peer = yes
TLS Allowed CN = "this.example.cxx"
TLS CA Certificate File = /etc/bacula/master.cert
# # This is a server certificate. It is used by the
connecting
# # director to verify the authenticity of this storage
daemon
TLS Certificate = /etc/ssl/xxxxx/cert.pem
TLS Key = /etc/ssl/xxxxx/key.pem
}
/////////// end config files
# Now, I've tried with a bought and paid for cert and I get this error
message at bconsole:
08-Mar 15:03 bconsole: ERROR in tls.c:107 Error with certificate at
depth: 0, issuer =xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxx ERR=20:unable to get local issuer certificate
08-Mar 15:03 bconsole: ERROR in tls.c:83 Connect failure:
ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
TLS negotiation failed
# I have tried with a cacert.org certificate:
08-Mar 15:22 bconsole: ERROR in tls.c:107 Error with certificate at
depth: 0, issuer = /O=Root CA/OU=http://www.cacert.org/CN=CA Cert
Signing Authority/[EMAIL PROTECTED], subject =
/CN=this.example.cxx, ERR=20:unable to get local issuer certificate
08-Mar 15:22 bconsole: ERROR in tls.c:83 Connect failure:
ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
# I have also tried with selfsigned certs, one for each daemon according
to these instructions:
#
http://landonf.bikemonkey.org/code/bacula/Configuring_Bacula_Encryption.20060305184424.26351.sandbox.html
08-Mar 15:26 bconsole: ERROR in tls.c:107 Error with certificate at
depth: 0, issuer =
/C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED],
subject =
/C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED],
ERR=18:self signed certificate
08-Mar 15:26 bconsole: ERROR in tls.c:83 Connect failure:
ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
--
Andreas Aronsson
Mobil: +46 704 566 595
www.aron.nu
"I'd rather have friends who care than friends who agree with me."
- Arlo Guthrie
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
