Hello Iban! And thank you for your reply.
> I have a similar configuration. I think that the problem is in the CN:
> CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
>
>
> please could you show the value for DirAddress = bacula.example.org
>
> in my case:
>
> DirAddress = bacula.example.org
>
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
> TLS Certificate = /etc/bacula/certs/cert/bacula.crt
> TLS Key = /etc/bacula/certs/key/bacula.key
>
>
This is my director configuration from bacula-dir.conf
Director { # define myself
Name = storage.jokefire.com
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/spool/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 1
Password = "secret" # Console password
Messages = Daemon
TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
}
I hope I got you right in that this was what you needed to know.
> Looking at the cert:
>
> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
>
> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
> bacula.example.org
>
openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text
Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN=
storage.jokefire.com/emailAddress=bluethu...@gmail.com
[root@storage:~] #hostname -f
storage.jokefire.com
> The CN must be the sme that DirAddress (I did not use email address for
> cert sign)
>
>
It appears as if the DirAddress and the common name do agree. Might there
be something else I could have missed?
Thanks
Tim
On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo <cabri...@ifca.unican.es>wrote:
> Hi Tim,
> I have a similar configuration. I think that the proble is in the CN:
> CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
>
>
> please could you show the value for DirAddress = bacula.example.org
>
> in my case:
>
> DirAddress = bacula.example.org
>
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
> TLS Certificate = /etc/bacula/certs/cert/bacula.crt
> TLS Key = /etc/bacula/certs/key/bacula.key
>
> Looking at the cert:
>
> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
>
> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
> bacula.example.org
>
> The CN must be the sme that DirAddress (I did not use email address for
> cert sign)
>
> Regards, I
>
>
> 2013/11/27 Tim Dunphy <bluethu...@gmail.com>
>
>> Hello all,
>>
>>
>> I'm trying to add TLS encryption to my bacula setup.
>>
>>
>>
>> I've been following this guide which got me almost all of the way there:
>>
>>
>> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
>>
>>
>> I modified the following sections in my bacula-dir.conf file:
>>
>>
>> Director { # define myself
>>
>> Name = storage.jokefire.com
>>
>> DIRport = 9101 # where we listen for UA connections
>>
>> QueryFile = "/etc/bacula/query.sql"
>>
>> WorkingDirectory = "/var/spool/bacula"
>>
>> PidDirectory = "/var/run"
>>
>> Maximum Concurrent Jobs = 1
>>
>> Password = "secret" # Console password
>>
>> Messages = Daemon
>>
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>
>> TLS Enable = yes
>>
>> TLS Require = yes
>>
>> TLS Verify Peer = yes
>>
>> }
>>
>>
>> Client {
>>
>> Name = ops.jokefire.com
>>
>> Address = ops.jokefire.com
>>
>> FDPort = 9102
>>
>> Catalog = JokefireCatalog
>>
>> Password = "secret" # password for FileDaemon
>>
>> File Retention = 14 days # 14 days
>>
>> Job Retention = 14d # 14 days
>>
>> AutoPrune = yes # Prune expired Jobs/Files
>>
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>
>> TLS Enable = yes
>>
>> TLS Require = yes
>>
>> }
>>
>>
>>
>> And in my bacula-fd.conf
>>
>>
>> Director {
>>
>> Name = storage.jokefire.com
>>
>> Password = "secret"
>>
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>
>> TLS Enable = yes
>>
>> TLS Require = yes
>>
>> }
>>
>>
>> FileDaemon { # this is me
>>
>> Name = storage.jokefire.com
>>
>> FDport = 9102 # where we listen for the director
>>
>> WorkingDirectory = /var/bacula
>>
>> Pid Directory = /var/run
>>
>> Maximum Concurrent Jobs = 20
>>
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>
>> TLS Enable = yes
>>
>> TLS Require = yes
>>
>> }
>>
>>
>> In bacula-sd.conf:
>>
>>
>> Storage { # definition of myself
>>
>> Name = storage.jokefire.com
>>
>> SDPort = 9103 # Director's port
>>
>> WorkingDirectory = "/var/spool/bacula"
>>
>> Pid Directory = "/var/run"
>>
>> Maximum Concurrent Jobs = 20
>>
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>
>> TLS Enable = yes
>>
>> TLS Require = yes
>>
>> TLS Verify Peer = yes
>>
>> }
>>
>>
>> And finally in bconsole.conf:
>>
>>
>> Director {
>>
>> Name = storage.jokefire.com
>>
>> DIRport = 9101
>>
>> address = storage.jokefire.com
>>
>> Password = "secret"
>>
>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>
>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>
>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>
>> TLS Enable = yes
>>
>> TLS Require = yes
>>
>> }
>>
>>
>> Then I bounced the services so all seems well at this point:
>>
>>
>> [root@storage:/etc/bacula] #bounce-bacula
>>
>> Stopping Bacula Storage services: [ OK ]
>>
>> Starting Bacula Storage services: [ OK ]
>>
>> Stopping Bacula File services: [ OK ]
>>
>> Starting Bacula File services: [ OK ]
>>
>> Stopping Bacula Director services: [ OK ]
>>
>> Starting Bacula Director services: [ OK ]
>>
>>
>> (wrote a script to bounce all services because I'm lazy)
>>
>>
>> But when I go into bconsole I get the following (until I restore from
>> backup)
>>
>>
>> [root@storage:/etc/bacula] #bconsole
>>
>> Connecting to Director storage.jokefire.com:9101
>>
>> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
>> depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
>> storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
>> /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
>> storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self
>> signed certificate
>>
>> TLS negotiation failed
>>
>> Director authorization problem.
>>
>> Most likely the passwords do not agree.
>>
>> If you are using TLS, there may have been a certificate validation error
>> during the TLS handshake.
>>
>> Please see
>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
>> help.
>>
>>
>> I've saved my work with TLS so I'm eager to get this going. I used the
>> following guide to generating the certs, and I'm wondering if the problem
>> could possibly be in the way I generated the certs?
>>
>>
>>
>> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
>>
>>
>> Thanks for any and all advice!
>>
>>
>> Tim
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Rapidly troubleshoot problems before they affect your business. Most IT
>> organizations don't have a clear picture of how application performance
>> affects their revenue. With AppDynamics, you get 100% visibility into your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
>> Pro!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bacula-users mailing list
>> Bacula-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>>
>
>
> --
> ####################################
> Iban Cabrillo Bartolome
> Instituto de Fisica de Cantabria (IFCA)
> Santander, Spain
> Tel: +34942200969
> ####################################
> Bertrand Russell:
> *"El problema con el mundo es que los estúpidos están seguros de todo y
> los inteligentes están llenos de dudas*"
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
