Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula.

2009-04-22 16:18:49
Subject: Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula.
From: Arno Lehmann <al AT its-lehmann DOT de>
To: "bacula-users AT lists.sourceforge DOT net" <bacula-users AT lists.sourceforge DOT net>
Date: Wed, 22 Apr 2009 22:10:39 +0200 
Hi,

22.04.2009 15:26, Sébastien Weber wrote:
> Thx for your Quick-reply.
> But I have a certificat on www.cacert.org ( the certificat its ok, on 
> the old server certificate worked. )
> When I use, i have a error message : "Fatal error: TLS required but not 
> configured in Bacula."
> Bacula requires another package/daemon/...  (or just configuration?) to 
> use TLS certificate?
> openssl is requires just for used TLS certificate by bacula ?

You probably run a version of Bacula without openssl support (iirc, 
due to license incomaptibilities, some distros don't include ssl 
support in Bacula).

You can verify this by running 'ldd /path/to/bacula-dir'. If you see a 
reference to libssl, it's a configuration issue. If you don't see that 
reference, you'll have to use another repository to install, or 
compile yourself.

Here, for example, on a test system I see

bacula@gnom:/usr/local/demo-bacula> ldd sbin/bacula-dir  | grep ssl
         libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7c5e000)

Arno

> I don't used "./configure (option)", but used "apt-get install" for 
> instal bacula :s
> doc:"/Appropriate autoconf macros have been added to detect and use 
> OpenSSL if enabled on the ./configure line with --with-openssl/"
> 
> 
> how to become your own Certificate Authority so you can create your own 
> certificates.
> That's good to know, thx :)
> 
> 
> Sébastien
> 
> Maarten Hoogveld a écrit :
>> Sorry, accidently pressed the send button before the mail was 
>> completed  (Now why didn't I look into that gmail undo-send button 
>> yesterday)
>>
>>     Hi,
>>
>>     I have instal bacula with "# apt-get install bacula" in debian linux.
>>     I have my backups that works, but is not securised with TLS...
>>     When used TLS, i have erreor message :
>>     "Fatal error: TLS required but not configured in Bacula."
>>
>>     How to use TLS ? where configure used TLS with this install ?
>>
>>
>> Hi Sébastien,
>>
>> Check out  the Bacula documentation on TLS 
>> <http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>. 
>> The example configs are a good start.
>> Also check out OpenSSL docs on how to become your own Certificate 
>> Authority so you can create your own certificates.
>> This may take some effort and time if you are unfarmilliar with 
>> certificates. Without the right certificates it will not work.
>> OpenSSL has some functionality with which you can check the 
>> certificates. You can create some sort of server and try to connect to 
>> it but I don't remember how that works anymore. Google for it.
>> It's important to start with the simplest solution (e.g. no TLS) and 
>> then gradually add some TLS features. (So don't start with the "TLS 
>> Allowed CN" or something like that. Add that when the plain TLS 
>> connection works.)
>> Also important to understanding what's going on is to figure out what 
>> connects to what. The part about firewalls 
>> <http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html> in 
>> the Bacula documentation has a small and useful overview of that. For 
>> the TLS connection the "client" is the connecting party and the server 
>> is the party being connected to. Example: When the bacula-dir connects 
>> to the bacula-fd, the bacula-dir is the client and the bacula-fd is 
>> the server. (See comments in the example configs in the Director 
>> resource of the bacula-fd config)
>>
>> I have created some scripts to create and sign my own certificates 
>> because I just can't remember the command line options for openssl. 
>> They are used in a Fedora 6 environment so you may have to change some 
>> paths to match your setup.
>> Before you can use these scripts you need:
>> - A proper openssl config file
>>  Place the file location in create.sh at the [openssl.cnf] placeholder
>> - Your self-signed root-certificate and private key
>>   Place them in their placeholders [ca.crt] and [ca.key] in the sign 
>> script
>> - Check all paths in sign.sh (/etc/pki/CA/ in my installation) and 
>> make sure they match your setup.
>> (Note: The sign script is not mine, I found it on the internet 
>> somewhere and don't remember who wrote it  so I can't give credit.)
>>
>>
>> Of course this doesn't explain TLS fully but I hope this helps a bit.
>>
>>
>> Regards,
>> Maarten Hoogveld
>>
>>
>> *create.sh* A script to create a new key-pair and a cert-sign-request.
>>
>> #!/bin/bash
>> FILE_BASE=$1
>> if [ $# -ne 1 ]; then
>>   echo "Usage: $0 <base-filename>"
>>   echo "  Creates a key-pair and csr (Certificate Signing Request)"
>>   echo "  File created are <base-filename>.key and <base-filename>.crt."
>>   exit 1
>> fi
>>
>> if [ -e ${FILE_BASE}.key ]; then
>>   echo "File ${FILE_BASE}.key already exists."
>>   echo "Exiting."
>>   exit 1;
>> fi
>>
>> openssl req -config /[openssl.cnf]/ -new -nodes -keyout 
>> ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730
>>
>> echo "Done."
>>
>>
>> *sign.sh*  A script to sign a sign-request
>>
>> #!/bin/sh
>> #   argument line handling
>> CSR=$1
>> if [ $# -ne 1 ]; then
>>   echo "Usage: ${0} <whatever>.csr"; exit 1
>> fi
>> if [ ! -f $CSR ]; then
>>   echo "CSR not found: $CSR"; exit 1
>> fi
>> case $CSR in
>>   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
>>   * ) CERT="$CSR.crt" ;;
>> esac
>> #   make sure environment exists
>> if [ ! -d ca.db.certs ]; then
>>   mkdir ca.db.certs
>> fi
>> if [ ! -f ca.db.serial ]; then
>>   echo '01' >ca.db.serial
>> fi
>> if [ ! -f ca.db.index ]; then
>>   cp /dev/null ca.db.index
>> fi
>> #   create an own SSLeay config
>> cat > ca.config <<EOT
>> [ ca ]
>> default_ca      = CA_own
>> [ CA_own ]
>> dir     = /etc/pki/CA
>> certs   = /etc/pki/CA/certs
>> new_certs_dir   = /etc/pki/CA/ca.db.certs
>> database        = /etc/pki/CA/ca.db.index
>> serial  = /etc/pki/CA/ca.db.serial
>> RANDFILE        = /etc/pki/CA/ca.db.rand
>> certificate     = /etc/pki/CA/certs//[ca.crt]/
>> private_key     = /etc/pki/CA/private//[ca.//key//]/
>> default_days    = 730
>> default_crl_days        = 30
>> default_md      = md5
>> preserve        = no
>> policy  = policy_anything
>> [ policy_anything ]
>> countryName     = optional
>> stateOrProvinceName     = optional
>> localityName    = optional
>> organizationName        = optional
>> organizationalUnitName  = optional
>> commonName      = supplied
>> emailAddress    = optional
>> EOT
>> #  sign the certificate
>> echo "CA signing: $CSR -> $CERT:"
>> openssl ca -config ca.config -out $CERT -infiles $CSR
>> echo "CA verifying: $CERT <-> CA cert"
>> openssl verify -CAfile /etc/pki/CA/certs//[ca.crt]/ $CERT
>> #  cleanup after SSLeay
>> /bin/rm -f ca.config
>> /bin/rm -f ca.db.serial.old
>> /bin/rm -f ca.db.index.old
>> #  die gracefully
>> exit 0
>>
>>
>> *export.sh*   A script to tidy up the files and put them into separate 
>> folders for archival
>>
>> #!/bin/bash
>> FILE_BASE=$1
>> if [ $# -ne 1 ]; then
>>   echo "Usage: $0 <base-filename>"
>>   echo "  If <base-filename>.key and <base-filename>.crt exist:"
>>   echo "  <base-filename>.key will be moved to ./export/private"
>>   echo "  <base-filename>.crt will be moved to ./export/certs"
>>   echo "  <base-filename>.csr will be deleted if it exists"
>>   exit 1
>> fi
>>
>> if [ ! -e ${FILE_BASE}.key ]; then
>>   echo "File ${FILE_BASE}.key does not exist!"
>>   exit 1;
>> fi
>>
>> if [ ! -e ${FILE_BASE}.crt ]; then
>>   echo "File ${FILE_BASE}.crt does not exist!"
>>   exit 1;
>> fi
>>
>> if [ ! -d export/certs ]; then
>>   echo "Destination ./export/certs does not exist. Please create this 
>> directory and try again."
>>   exit 1;
>> fi
>> if [ ! -d export/private ]; then
>>   echo "Destination ./export/private does not exist. Please create 
>> this directory and try again."
>>   exit 1;
>> fi
>>
>> mv ${FILE_BASE}.key export/private
>> chmod 0400 export/private/${FILE_BASE}.key
>>
>> mv ${FILE_BASE}.crt export/certs
>>
>> if [ -e ${FILE_BASE}.csr ]; then
>>   rm ${FILE_BASE}.csr
>> fi
>>
>> echo "Done."
>>
>>
>>
> 
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users

-- 
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Make waiting job continue, Arno Lehmann
Next by Date:  Re: [Bacula-users] Bacula Plugins and ACL support, Arno Lehmann
Previous by Thread:  Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula., Sébastien Weber
Next by Thread:  Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula., Sébastien Weber
Indexes:  [Date] [Thread] [Top] [All Lists]