Do recent complaints about certificate chains [1] [2] also apply when a client running OpenBSD 6.8 uses a self-signed cert, and there are no intermediate certs?
Since upgrading to OpenBSD 6.8, a machine running the bacula-client backup package has been throwing "unable to get local issuer certificate" warnings. With the same certs and configuration on OpenBSD 6.7, backups ran to completion without errors warnings. I asked previously on bacula-users [3], and was told this is something with LibreSSL 3.2.2. The two citations below are about cert chains, but the only certs here are a single self-signed root cert and a single client cert issued by that CA. Does something in the certs and/or the config need to change for this to run clean? dn [1] https://marc.info/?l=openbsd-misc&m=160550705202129&w=2 [2] https://marc.info/?l=libressl&m=160457839621584&w=2 [3] > Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs > Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs > > After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly > backups run successfully but throw this warning: > > ERR=20:"unable to get local issuer certificate" > > This setup uses self-signed certificates and worked without errors or > warnings before this OS upgrade. > > There has been no bacula configuration change on either the client or > director . A diff of the client bacula-fd.conf file (excerpted below) > before and after the upgrade shows no change. > > I tried revoking the old client cert and generating a new one, but this > had no effect on the warning message. > > I also tried command-line "openssl s_client -connect" commands both > ways. Both connections worked on the respective ports 9101 and 9102. > > Besides the bacula client configuration -- which hasn't changed, aside > from pointing to new certs with the same filenames -- is there something > else that needs tweaking on the client? ----- > client bacula-fd.conf > > Director { > Name = nye-dir > .. > > TLS Require = yes > TLS Enable = yes > TLS Verify Peer = yes > > # Allow only the Director to connect > TLS Allowed CN = "backups.example.com" > TLS CA Certificate File = /etc/bacula/cacert.pem > TLS Certificate = /etc/bacula/client.pem > TLS Key = /etc/bacula/client.key > > } > > .. > > FileDaemon { > Name = client-fd > FDport = 9102 # where we listen for the director > WorkingDirectory = /var/db/bacula > Pid Directory = /var/run > Maximum Concurrent Jobs = 20 > > TLS Require = yes > TLS Enable = yes > > TLS CA Certificate File = /etc/bacula/cacert.pem > TLS Certificate = /etc/bacula/client.pem > TLS Key = /etc/bacula/client.key > > }
