> Verify the keyUsage of your certs.. > Try to create a cert with all usages: keyUsage = digitalSignature, > nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, > keyCertSign, cRLSign, encipherOnly, decipherOnly > > 2011/11/8 Oliver Hoffmann <o...@dom.de> > > > Hi all, > > > > > > it is such a hassle to get that running. Could someone guide me > > please? > > > > 1. What I did > > > > I made my own CA using this guide: > > https://help.ubuntu.com/community/OpenSSL > > Now I have a CA and self-signed keys. So there are server_crt.pem, > > server_key.pem and cacert.pem. The common name is always > > ba-server.some.domain. I altered the file index.txt.attr. Now it > > reads unique_subject = no. > > > > Of course I read this one: > > http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html > > and then that one: > > http://www.devco.net/pubwiki/Bacula/TLS/ > > which was quite helpful. I tried to have an encrypted communication > > between the director and bconsole as a first attempt but it doesn't > > work. > > > > bconsole.conf looks like: > > > > Director { > > Name = ba-server-dir > > DIRport = 9101 > > address = ba-server.some.domain > > Password = "mypw" > > TLS Enable = yes > > TLS Require = yes > > TLS CA Certificate File = /etc/bacula/certs/cacert.pem > > TLS Certificate = /etc/bacula/certs/server_crt.pem > > TLS Key = /etc/bacula/certs/server_key.pem > > } > > > > bacula-dir.conf (just the upper part): > > > > Director { # define myself > > Name = ba-server-dir > > DIRport = 9101 # where we listen for UA connections > > QueryFile = "/etc/bacula/scripts/query.sql" > > WorkingDirectory = "/var/lib/bacula" > > PidDirectory = "/var/run/bacula" > > Password = "mypw" > > Messages = Daemon > > DirAddress = ba-server.some.domain > > Heartbeat Interval = 60 > > Maximum Concurrent Jobs = 20 > > > > TLS Enable = yes > > TLS Require = yes > > # TLS Verify Peer = yes > > # TLS Allowed CN = "ba-server.some.domain" > > TLS CA Certificate File = /etc/bacula/certs/cacert.pem > > TLS Certificate = /etc/bacula/certs/server_crt.pem > > TLS Key = /etc/bacula/certs/server_key.pem > > } > > > > I used TLS Verify Peer and TLS Allowed CN as well before. > > > > > > 2. What I got: > > > > Connecting to Director ba-server.some.domain:9101 > > TLS negotiation failed > > Director authorization problem. > > Most likely the passwords do not agree. > > If you are using TLS, there may have been a certificate validation > > error during the TLS handshake. Please see > > > > http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 > > for help. > > > > In the log file I see: > > > > 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with > > certificate at depth: 0, issuer > > = /CN=ba-server.some.domain and so on.... > > ERR=26:unsupported certificate purpose > > > > Thus I searched for "unsupported certificate purpose" and found out > > that nsCertType was set to "server". Means both certs have a purpose > > called "server". I made a new crt/key with "client". No success. > > > > I couldn't find either how to set nsCertType to nothing or if > > bacula is able to ignore such a setting. > > > > Thanks for help! > > > > Greetings, > > > > Oliver > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > RSA(R) Conference 2012 > > Save $700 by Nov 18 > > Register now > > http://p.sf.net/sfu/rsa-sfdev2dev1 > > _______________________________________________ > > Bacula-users mailing list > > Bacula-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/bacula-users > > > > >
Thank you. After a while I figured out how to do this. Furthermore I had "nsCertType = server" in my caconfig.cnf and commented it. Now I see: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No With such a cert the communication bconsole <--> director finally works. Next I tried to get the local fd talking TLS (with the same cacert, crt and key), but: 09-Nov 18:01 ba-server-fd: Fatal Error at filed.c:556 because: Konnte TLS context für Director nicht initialisieren "ba-server-dir" in /etc/bacula/bacula-fd.conf. The German sentence means "Couldn't initialize TLS context for director "ba-server-dir"." Eventually I got it. The problem was FQDN in the cert but not at "FDAddress =". Hence the major issues with TLS and bacula are FQDN confusion and purposes of certs. That's what I experienced and that's what I found all the time while searching the web. Cheers, Oliver ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users