I'm running Bacula 9.06 (compiled from source with the --with-openssl option)
on CentOS 7.5 and running into issues configuring TLS in our test environment.
I am following the instructions from these two pages:
https://www.labeightyfour.com/2019/06/20/configure-encrypted-connections-in-bacula/
https://www.labeightyfour.com/2019/12/05/certificate-extensions-in-openssl/
My test environment consists of a server running the Director and SD
(xbacdirector01-lv) as well as a CentOS 7.5 Linux client and Windows Server
2019 client.
First, I generated the keys and certificates on xbacdirector01-lv, put them in
/etc/ssl, chown'd them as bacula.bacula and changed the permissions on the keys
to 600. Here is how I generated things:
Configure the Certificate Authority using OpenSSL
openssl genrsa -out bacula_ca.key 2048
openssl req -new -x509 -key bacula_ca.key -out bacula_ca.crt -days 365
-extensions usr_cert
Configure Keys and Certificates for the Bacula Server using OpenSSL
openssl req -new -newkey rsa:2048 -nodes -keyout bacula_server.key -out
bacula_server.csr -days 365
openssl x509 -req -in bacula_server.csr -CA /etc/ssl/bacula_ca.crt -CAkey
/etc/ssl/bacula_ca.key -CAcreateserial -out bacula_server.crt -extensions
usr_cert -days 365
Then I modified bconsole.conf to include the TLS directives. It now looks like
this:
Director {
Name = xbacdirector01-lv.internal.shutterfly.com-dir
DIRport = 9101
address = xbacdirector01-lv.internal.shutterfly.com
Password = "password"
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/bacula_ca.crt
TLS Certificate = /etc/ssl/bacula_server.crt
TLS Key = /etc/ssl/bacula_server.key
}
Next, I updated bacula-dir.conf to include the TLS directives:
Director { # define myself
Name = xbacdirector01-lv.internal.shutterfly.com-dir
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/query.sql"
WorkingDirectory = "/var/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 20
Password = "password" # Console password
Messages = Daemon
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/bacula_ca.crt
TLS Certificate = /etc/ssl/bacula_server.crt
TLS Key = /etc/ssl/bacula_server.key
# TLS Verify Peer = no
TLS Allowed CN = “xbacdirector01-lv.internal.shutterfly.com”
}
Storage { # definition of myself
Name = xbacdirector01-lv.internal.shutterfly.com-sd
SDPort = 9103 # Director's port
Address = xbacdirector01-lv.internal.shutterfly.com
Password = "password"
Device = FileChgr1-Dev1 #Make sure this matches the bacula-sd.conf file
MediaType = File1
Maximum Concurrent Jobs = 20
Autochanger = yes
Allow Compression = yes
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/bacula_ca.crt
TLS Certificate = /etc/ssl/bacula_server.crt
TLS Key = /etc/ssl/bacula_server.key
}
Autochanger {
Name = File1
# Do not use "localhost" here
Address = xbacdirector01-lv.internal.shutterfly.com # N.B. Use
a fully qualified name here
SDPort = 9103
Password = "password"
Device = FileChgr1
Media Type = File1
Maximum Concurrent Jobs = 10 # run up to 10 jobs a the same time
Autochanger = File1 # point to ourself
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/bacula_ca.crt
TLS Certificate = /etc/ssl/bacula_server.crt
TLS Key = /etc/ssl/bacula_server.key
}
I also added the TLS directives to bacula-sd.conf:
Storage { # definition of myself
Name = xbacdirector01-lv.internal.shutterfly.com-sd
SDPort = 9103 # Director's port
WorkingDirectory = "/var/bacula"
Pid Directory = "/var/run"
Plugin Directory = "/usr/lib64"
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/bacula_ca.crt
TLS Certificate = /etc/ssl/bacula_server.crt
TLS Key = /etc/ssl/bacula_server.key
}
Director {
Name = xbacdirector01-lv.internal.shutterfly.com-dir
Password = "password"
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/bacula_ca.crt
TLS Certificate = /etc/ssl/bacula_server.crt
TLS Key = /etc/ssl/bacula_server.key
}
After those changes, I bounced Bacula and tried running bconsole. Here is the
error I'm receiving:
Connecting to Director xbacdirector01-lv.internal.shutterfly.com:9101
bconsole: tls.c:87-0 Error with certificate at depth: 0, issuer =
/C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com,
subject =
/C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com,
ERR=18:self signed certificate
31-Jul 14:41 bconsole JobId 0: Error: tls.c:87 Error with certificate at depth:
0, issuer =
/C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com,
subject =
/C=US/ST=Arizona/L=Tempe/O=Shutterfly/OU=ops-syseng/CN=xbacdirector01-lv.internal.shutterfly.com/emailAddress=t...@shutterfly.com,
ERR=18:self signed certificate
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error during
the TLS handshake.
For help, please see
http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
I'm guessing I didn't configure the certs properly but I don't know why. I also
tried creating things with the CN not being fully-qualified, i.e.:
CN=xbacdirector01-lv. That didn't make a difference. I'm pretty green when it
comes to configuring certs so I apologize if I'm making rookie mistakes.
Does anyone know what I'm doing wrong? Please let me know if you need more
details of my setup and configuration.
Thanks!
--Shawn
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
