Sorry, accidently pressed the send button before the mail was completed
(Now why didn't I look into that gmail undo-send button yesterday)
Hi,
>
> I have instal bacula with "# apt-get install bacula" in debian linux.
> I have my backups that works, but is not securised with TLS...
> When used TLS, i have erreor message :
> "Fatal error: TLS required but not configured in Bacula."
>
> How to use TLS ? where configure used TLS with this install ?
>
Hi Sébastien,
Check out the Bacula documentation on
TLS<http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>.
The example configs are a good start.
Also check out OpenSSL docs on how to become your own Certificate Authority
so you can create your own certificates.
This may take some effort and time if you are unfarmilliar with
certificates. Without the right certificates it will not work.
OpenSSL has some functionality with which you can check the certificates.
You can create some sort of server and try to connect to it but I don't
remember how that works anymore. Google for it.
It's important to start with the simplest solution (e.g. no TLS) and then
gradually add some TLS features. (So don't start with the "TLS Allowed CN"
or something like that. Add that when the plain TLS connection works.)
Also important to understanding what's going on is to figure out what
connects to what. The part about
firewalls<http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html>in
the Bacula documentation has a small and useful overview of that. For
the
TLS connection the "client" is the connecting party and the server is the
party being connected to. Example: When the bacula-dir connects to the
bacula-fd, the bacula-dir is the client and the bacula-fd is the server.
(See comments in the example configs in the Director resource of the
bacula-fd config)
I have created some scripts to create and sign my own certificates because I
just can't remember the command line options for openssl. They are used in a
Fedora 6 environment so you may have to change some paths to match your
setup.
Before you can use these scripts you need:
- A proper openssl config file
Place the file location in create.sh at the [openssl.cnf] placeholder
- Your self-signed root-certificate and private key
Place them in their placeholders [ca.crt] and [ca.key] in the sign script
- Check all paths in sign.sh (/etc/pki/CA/ in my installation) and make sure
they match your setup.
(Note: The sign script is not mine, I found it on the internet somewhere and
don't remember who wrote it so I can't give credit.)
Of course this doesn't explain TLS fully but I hope this helps a bit.
Regards,
Maarten Hoogveld
*create.sh* A script to create a new key-pair and a cert-sign-request.
#!/bin/bash
FILE_BASE=$1
if [ $# -ne 1 ]; then
echo "Usage: $0 <base-filename>"
echo " Creates a key-pair and csr (Certificate Signing Request)"
echo " File created are <base-filename>.key and <base-filename>.crt."
exit 1
fi
if [ -e ${FILE_BASE}.key ]; then
echo "File ${FILE_BASE}.key already exists."
echo "Exiting."
exit 1;
fi
openssl req -config *[openssl.cnf]* -new -nodes -keyout ${FILE_BASE}.key
-out ${FILE_BASE}.csr -days 730
echo "Done."
*sign.sh* A script to sign a sign-request
#!/bin/sh
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: ${0} <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat > ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = /etc/pki/CA
certs = /etc/pki/CA/certs
new_certs_dir = /etc/pki/CA/ca.db.certs
database = /etc/pki/CA/ca.db.index
serial = /etc/pki/CA/ca.db.serial
RANDFILE = /etc/pki/CA/ca.db.rand
certificate = /etc/pki/CA/certs/*[ca.crt]*
private_key = /etc/pki/CA/private/*[ca.**key**]*
default_days = 730
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/pki/CA/certs/*[ca.crt]* $CERT
# cleanup after SSLeay
/bin/rm -f ca.config
/bin/rm -f ca.db.serial.old
/bin/rm -f ca.db.index.old
# die gracefully
exit 0
*export.sh* A script to tidy up the files and put them into separate
folders for archival
#!/bin/bash
FILE_BASE=$1
if [ $# -ne 1 ]; then
echo "Usage: $0 <base-filename>"
echo " If <base-filename>.key and <base-filename>.crt exist:"
echo " <base-filename>.key will be moved to ./export/private"
echo " <base-filename>.crt will be moved to ./export/certs"
echo " <base-filename>.csr will be deleted if it exists"
exit 1
fi
if [ ! -e ${FILE_BASE}.key ]; then
echo "File ${FILE_BASE}.key does not exist!"
exit 1;
fi
if [ ! -e ${FILE_BASE}.crt ]; then
echo "File ${FILE_BASE}.crt does not exist!"
exit 1;
fi
if [ ! -d export/certs ]; then
echo "Destination ./export/certs does not exist. Please create this
directory and try again."
exit 1;
fi
if [ ! -d export/private ]; then
echo "Destination ./export/private does not exist. Please create this
directory and try again."
exit 1;
fi
mv ${FILE_BASE}.key export/private
chmod 0400 export/private/${FILE_BASE}.key
mv ${FILE_BASE}.crt export/certs
if [ -e ${FILE_BASE}.csr ]; then
rm ${FILE_BASE}.csr
fi
echo "Done."
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
