On 8 Mar 2006 at 16:25, Andreas Aronsson wrote:
> Alright, continuing with the "cacert-track".
>
> I changed the master cert to
>
> /etc/ssl/certs/cacert.org.pem
>
> and got:
>
> 08-Mar 15:55 bconsole: Fatal error: bnet.c:502 TLS host certificate
> verification failed. Host xxxxx did not match presented certificate
> TLS negotiation failed Director authorization problem.
>
>
> Then I changed the adress directive to equal the CN in the cert
> and I'm in (=
> Thanks Dan!
>
> Now I can use bconsole over TLS.
>
Good!
> But, when I start a job with 'run' and select one I get:
>
> 08-Mar 16:12 xxxxx-dir: xxxxx.2006-03-08_16.12.42 Fatal error:
> Authorization problem: Remote server requires TLS.
>
> This tells med that the director cannot use TLS when it's contacting
> the filedaemon(fd), but bacula-dir.conf looks like:
>
> Director { # define
> myself
>
> Name = xxxxx-dir
> ....
> TLS Enable = yes
> TLS Verify Peer = yes
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/ssl/certs/cacert.org.pem
> # This is a server certificate, used for incoming
> # console connections.
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
>
> and bacula-fd.conf:
>
> # List Directors who are permitted to contact this File
> daemon
>
> #
>
>   ;
> Director {
> Name = xxxxx-dir
> .....
>
> TLS Require = yes
> TLS Verify Peer = no
shouldn't this be yes? It is for me.
> # Allow only the Director to
> connect
>
>
> TLS Allowed CN = "this.example.cxx"
This must be the director. is it?
> TLS CA Certificate File = /etc/ssl/certs/cacert.org.pem
> # This is a server certificate. It is used by
> connecting
>
> # directors to verify the authenticity of this file
> daemon
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
This must be the cert fo the director. is it?
> SO the director should be able to TLS, and the fd should let the
> director in, no?
Yes.
Also, do you certs have the passwords removed?
>
>
> Dan Langille wrote:
> On 8 Mar 2006 at 15:30, Andreas Aronsson wrote:
>
>
> Hello!
>
> I'm new to this list, but I got a lot of time invested in this.
> Any pointers much appreciated... I'm trying to get bacula to work
> using TLS. Running Gentoo Linux. I have started out trying to
> backup the same host as the one the director's residing on. IE
> dir, sd and fd on the same host. All is dandy with an ordinary
> setup ( no TLS ) Bacula version 1.38.5
>
> Relevant config as follows (tried to follow
> http://sourceforge.net/mailarchive/forum.php?thread_id=8938828&for
> um_id=8650 ) :
>
> /////////// start config files
>
> bconsole.conf:
> Director {
> Name = xxxxx-dir
> ....
> TLS Require = yes
> TLS CA Certificate File = /etc/bacula/master.cert
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
> bacula-dir.conf:
> Director { # define
> myself
>
> Name = xxxxx-dir
> ....
> TLS Enable = yes
> TLS Verify Peer = yes
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/bacula/master.cert
> # # This is a server certificate, used for
> incoming
>
> # # console
> connections.
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
> .....
> Client {
> Name = xxxxx-fd
> Address = this.example.cxx
> ....
> TLS Require = yes
> TLS CA Certificate File = /etc/bacula/master.cert
> # This is a client certificate, used by the director
> to
>
> # connect to the remote file
> daemon.
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
> bacula-fd.conf:
> Director {
> Name = xxxxx-dir
> .....
>
> TLS Require = yes
> TLS Verify Peer = yes
> # Allow only the Director to
> connect
>
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/bacula/master.cert
> # This is a server certificate. It is used by
> connecting
>
> # directors to verify the authenticity of this file
> daemon
>
>
> In my case, the above certificiate is the root cert for
> cacert.org. Is that what you are using here?
>
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
> bacula-sd.conf:
>
> Storage { # definition of
> myself
>
> Name = xxxxx-sd
> .....
> # These TLS configuration options are used for
> incoming
>
> # file daemon connections. Director TLS settings are
> handled
>
> #
> below.
>
> TLS Enable = yes
> # Peer certificate is not required/requested -- peer
> validity
>
> # is verified by the storage connection cookie provided to
> the
>
> # File Daemon by the
> director.
>
> TLS Verify Peer = no
> TLS CA Certificate File = /etc/bacula/master.cert
> # This is a server certificate. It is used by
> connecting
>
> # file daemons to verify the authenticity of this storage
> daemon
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxx/key.pem
> }
>
> .....
>
> Director {
> Name = xxxxx-dir
> .....
> TLS Require = yes
> # # Require the connecting director to provide a
> certificate
>
> # # with the matching
> CN.
>
> TLS Verify Peer = yes
> TLS Allowed CN = "this.example.cxx"
> TLS CA Certificate File = /etc/bacula/master.cert
> # # This is a server certificate. It is used by the
> connecting
>
> # # director to verify the authenticity of this storage
> daemon
>
> TLS Certificate = /etc/ssl/xxxxx/cert.pem
> TLS Key = /etc/ssl/xxxxx/key.pem
> }
>
>
> /////////// end config files
>
> # Now, I've tried with a bought and paid for cert and I get this
> error message at bconsole:
>
> 08-Mar 15:03 bconsole: ERROR in tls.c:107 Error with certificate
> at depth: 0, issuer
> =xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxx ERR=20:unable to get local issuer certificate 08-Mar 15:03
> bconsole: ERROR in tls.c:83 Connect failure:
> ERR=error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed TLS
> negotiation failed
>
> # I have tried with a cacert.org certificate:
>
> 08-Mar 15:22 bconsole: ERROR in tls.c:107 Error with certificate
> at depth: 0, issuer = /O=Root CA/OU=http://www.cacert.org/CN=CA
> Cert Signing Authority/[EMAIL PROTECTED], subject =
> /CN=this.example.cxx, ERR=20:unable to get local issuer
> certificate 08-Mar 15:22 bconsole: ERROR in tls.c:83 Connect
> failure: ERR=error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>
> I think this means you don't have the certificate of the issuer
> available. This would be used to validate the certificate being
> presented.
>
>
> # I have also tried with selfsigned certs, one for each daemon
> according to these instructions: #
> http://landonf.bikemonkey.org/code/bacula/Configuring_Bacula_Encry
> ption.20060305184424.26351.sandbox.html
>
> 08-Mar 15:26 bconsole: ERROR in tls.c:107 Error with certificate
> at depth: 0, issuer =
> /C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED]
> a.cxx, subject =
> /C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED]
> a.cxx, ERR=18:self signed certificate 08-Mar 15:26 bconsole: ERROR
> in tls.c:83 Connect failure: ERR=error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>
>
>
>
> --
> Andreas Aronsson
> Mobil: +46 704 566 595
> www.aron.nu
>
> "I'd rather have friends who care than friends who agree with me." -
> Arlo Guthrie
>
--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
