Verify the keyUsage of your certs..
Try to create a cert with all usages: keyUsage = digitalSignature,
nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement,
keyCertSign, cRLSign, encipherOnly, decipherOnly
2011/11/8 Oliver Hoffmann <o...@dom.de>
> Hi all,
>
>
> it is such a hassle to get that running. Could someone guide me please?
>
> 1. What I did
>
> I made my own CA using this guide:
> https://help.ubuntu.com/community/OpenSSL
> Now I have a CA and self-signed keys. So there are server_crt.pem,
> server_key.pem and cacert.pem. The common name is always
> ba-server.some.domain. I altered the file index.txt.attr. Now it reads
> unique_subject = no.
>
> Of course I read this one:
> http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
> and then that one:
> http://www.devco.net/pubwiki/Bacula/TLS/
> which was quite helpful. I tried to have an encrypted communication
> between the director and bconsole as a first attempt but it doesn't
> work.
>
> bconsole.conf looks like:
>
> Director {
> Name = ba-server-dir
> DIRport = 9101
> address = ba-server.some.domain
> Password = "mypw"
> TLS Enable = yes
> TLS Require = yes
> TLS CA Certificate File = /etc/bacula/certs/cacert.pem
> TLS Certificate = /etc/bacula/certs/server_crt.pem
> TLS Key = /etc/bacula/certs/server_key.pem
> }
>
> bacula-dir.conf (just the upper part):
>
> Director { # define myself
> Name = ba-server-dir
> DIRport = 9101 # where we listen for UA connections
> QueryFile = "/etc/bacula/scripts/query.sql"
> WorkingDirectory = "/var/lib/bacula"
> PidDirectory = "/var/run/bacula"
> Password = "mypw"
> Messages = Daemon
> DirAddress = ba-server.some.domain
> Heartbeat Interval = 60
> Maximum Concurrent Jobs = 20
>
> TLS Enable = yes
> TLS Require = yes
> # TLS Verify Peer = yes
> # TLS Allowed CN = "ba-server.some.domain"
> TLS CA Certificate File = /etc/bacula/certs/cacert.pem
> TLS Certificate = /etc/bacula/certs/server_crt.pem
> TLS Key = /etc/bacula/certs/server_key.pem
> }
>
> I used TLS Verify Peer and TLS Allowed CN as well before.
>
>
> 2. What I got:
>
> Connecting to Director ba-server.some.domain:9101
> TLS negotiation failed
> Director authorization problem.
> Most likely the passwords do not agree.
> If you are using TLS, there may have been a certificate validation
> error during the TLS handshake. Please see
>
> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
> for help.
>
> In the log file I see:
>
> 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
> certificate at depth: 0, issuer
> = /CN=ba-server.some.domain and so on....
> ERR=26:unsupported certificate purpose
>
> Thus I searched for "unsupported certificate purpose" and found out
> that nsCertType was set to "server". Means both certs have a purpose
> called "server". I made a new crt/key with "client". No success.
>
> I couldn't find either how to set nsCertType to nothing or if bacula is
> able to ignore such a setting.
>
> Thanks for help!
>
> Greetings,
>
> Oliver
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
--
William Felipe Welter
------------------------------
Consultor em Tecnologias Livres
william.wel...@4linux.com.br
www.4linux.com.br
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
