On 8 Mar 2006 at 15:30, Andreas Aronsson wrote:
> Hello!
>
> I'm new to this list, but I got a lot of time invested in this. Any
> pointers much appreciated...
> I'm trying to get bacula to work using TLS.
> Running Gentoo Linux.
> I have started out trying to backup the same host as the one the
> director's residing on. IE dir, sd and fd on the same host.
> All is dandy with an ordinary setup ( no TLS )
> Bacula version 1.38.5
>
> Relevant config as follows (tried to follow
> http://sourceforge.net/mailarchive/forum.php?thread_id=8938828&forum_id=8650
> ) :
>
> /////////// start config files
>
> bconsole.conf:
> Director {
> Name = xxxxx-dir
> ....
> TLS Require = yes
> TLS CA Certificate File = /etc/bacula/master.cert
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
> bacula-dir.conf:
> Director { # define
> myself
>
>
> Name = xxxxx-dir
> ....
> TLS Enable = yes
> TLS Verify Peer = yes
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/bacula/master.cert
> # # This is a server certificate, used for
> incoming
>
>
> # # console
> connections.
>
>
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
> .....
> Client {
> Name = xxxxx-fd
> Address = this.example.cxx
> ....
> TLS Require = yes
> TLS CA Certificate File = /etc/bacula/master.cert
> # This is a client certificate, used by the director
> to
>
>
> # connect to the remote file
> daemon.
>
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
> bacula-fd.conf:
> Director {
> Name = xxxxx-dir
> .....
>
> TLS Require = yes
> TLS Verify Peer = yes
> # Allow only the Director to
> connect
>
>
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/bacula/master.cert
> # This is a server certificate. It is used by
> connecting
>
>
> # directors to verify the authenticity of this file
> daemon
>
In my case, the above certificiate is the root cert for cacert.org.
Is that what you are using here?
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
> bacula-sd.conf:
>
> Storage { # definition of
> myself
>
>
> Name = xxxxx-sd
> .....
> # These TLS configuration options are used for
> incoming
>
>
> # file daemon connections. Director TLS settings are
> handled
>
>
> #
> below.
>
>
>
> TLS Enable = yes
> # Peer certificate is not required/requested -- peer
> validity
>
>
> # is verified by the storage connection cookie provided to
> the
>
>
> # File Daemon by the
> director.
>
>
>
> TLS Verify Peer = no
> TLS CA Certificate File = /etc/bacula/master.cert
> # This is a server certificate. It is used by
> connecting
>
>
> # file daemons to verify the authenticity of this storage
> daemon
>
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxx/key.pem
> }
>
> .....
>
> Director {
> Name = xxxxx-dir
> .....
> TLS Require = yes
> # # Require the connecting director to provide a
> certificate
>
>
> # # with the matching
> CN.
>
>
>
> TLS Verify Peer = yes
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/bacula/master.cert
> # # This is a server certificate. It is used by the
> connecting
>
>
> # # director to verify the authenticity of this storage
> daemon
>
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
>
> /////////// end config files
>
> # Now, I've tried with a bought and paid for cert and I get this error
> message at bconsole:
>
> 08-Mar 15:03 bconsole: ERROR in tls.c:107 Error with certificate at
> depth: 0, issuer =xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxx ERR=20:unable to get local issuer certificate
> 08-Mar 15:03 bconsole: ERROR in tls.c:83 Connect failure:
> ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> TLS negotiation failed
>
> # I have tried with a cacert.org certificate:
>
> 08-Mar 15:22 bconsole: ERROR in tls.c:107 Error with certificate at
> depth: 0, issuer = /O=Root CA/OU=http://www.cacert.org/CN=CA Cert
> Signing Authority/[EMAIL PROTECTED], subject =
> /CN=this.example.cxx, ERR=20:unable to get local issuer certificate
> 08-Mar 15:22 bconsole: ERROR in tls.c:83 Connect failure:
> ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
I think this means you don't have the certificate of the issuer
available. This would be used to validate the certificate being
presented.
>
> # I have also tried with selfsigned certs, one for each daemon according
> to these instructions:
> #
> http://landonf.bikemonkey.org/code/bacula/Configuring_Bacula_Encryption.20060305184424.26351.sandbox.html
>
> 08-Mar 15:26 bconsole: ERROR in tls.c:107 Error with certificate at
> depth: 0, issuer =
> /C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED],
> subject =
> /C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED],
> ERR=18:self signed certificate
> 08-Mar 15:26 bconsole: ERROR in tls.c:83 Connect failure:
> ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
