2011/10/31 sabrina bomel <sabrinabo...@gmail.com> > > Hello, > > I've got a server on Debian Squeeze. I've put Bacula 5.0.2. > My config, est that, i've put the Director, the Storage and the Console on > the server. > I've test it, and it's OK. I can backup and restore clients. > Then, i wanted to secure it. So i've tried to put TLS. > I follow this doc : > http://www.opendoc.net/solutions/comment-sauvegarder-avec-bacula#bacula-tls > And I follow the doc too : > http://www.freebsddiary.org/bacula-tls.php > And i've got this message, when i tape bconsole : > root@SRVBACULA01:/etc/bacula# bconsole > Connecting to Director srvbacula01.wmsc.re:9101 > TLS negotiation failed > Director authorization problem. > Most likely the passwords do not agree. > If you are using TLS, there may have been a certificate validation error > during the TLS handshake. > Please see > http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 > for help. > > So i create a non-password version certificate, as shown on freebsddiary. > And i've got the same message above. > And i look in the log (var/log/syslog ), and there's this messages : > Oct 31 17:37:49 SRVBACULA01 bacula-console: bnet.c:306 TLS host certificate > verification failed. Host name "srvbacula01.wmsc.re" did not match presented > certificate > Oct 31 17:37:49 SRVBACULA01 bacula-dir: bnet.c:258 TLS certificate > verification failed. Peer certificate did not match a required commonName > > So i'm lost. > I've modificated my host's file. > I think, that's my certificate. If someone have a procedure, i'll be happy. > You need to make sure that the address attribute in the client section matches the CN of the client's certificate. You also need to make sure that the name of the director machine matches the CN of it's cert on the client. Then I have the following. On Director: Director { # define myself Name = jon-dir DIRport = 9101 # where we listen for UA connections ... # TLS Security TLS Enable = yes TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = "jon" # important if doing NAT Or DNS doesn't return what you want TLS CA Certificate File = /etc/ssl/certs/personal-ca.pem TLS Certificate = /etc/bacula/jon-bacula-2011.pem TLS Key = /etc/bacula/jon-bacula-2011.key } Client { Name = jen-fd Address = jen FDPort = 9102 ... # TLS Security TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/ssl/certs/personal-ca.pem TLS Certificate = /etc/bacula/jon-bacula-2011.pem TLS Key = /etc/bacula/jon-bacula-2011.key } On client: Director { Name = jon-dir ... # TLS Security TLS Enable = yes TLS Require = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = "jon" # important if doing NAT Or DNS doesn't return what you want TLS CA Certificate File = /etc/bacula/personal-ca.pem TLS Certificate = /etc/bacula/jen-bacula-2011.pem TLS Key = /etc/bacula/jen-bacula-2011.key } FileDaemon { # this is me Name = jen-fd FDport = 9102 # where we listen for the director ... # TLS Security TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/personal-ca.pem TLS Certificate = /etc/bacula/jen-bacula-2011.pem TLS Key = /etc/bacula/jen-bacula-2011.key } These are my notes on creating certificates. Create CA: # only needed once /usr/share/ssl/misc/CA.pl -newca Copy cacert.pem to /etc/apache2/ssl.crt and put it somewhere on the web for others to reference. Create cert: /usr/share/ssl/misc/CA.pl -newreq answer questions /usr/share/ssl/misc/CA.pl -sign Enter CA passphrase Answer questions Cert is now signed. Now to setup for Apache, need to take the passphrase off. openssl rsa < newkey.pem > eggplant.key Enter passphrase used with -newreq mv newcert.pem eggplant.pem Now you have a cert for your host, the cert is in eggplant.crt the key is in eggplant.key. The key has no password so you can start your service without entering a password.
If you're going through a NAT for backups, then it's more work. I've got that going too, but there are a few things that need to be modified as well. ------------------------------------------------------------------------------ Get your Android app more play: Bring it to the BlackBerry PlayBook in minutes. BlackBerry App World™ now supports Android™ Apps for the BlackBerry® PlayBook™. Discover just how easy and simple it is! http://p.sf.net/sfu/android-dev2dev _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
