Hi,
24.04.2009 09:12, Sébastien Weber wrote:
>
> What to do for have libssl.so?
Well, you either need to install Bacula from a different repository,
where they have a version configured with SSL, or you compile from
source yourself and include the SSL stuff yourself. In the latter
case, the output of './configure --help' tells you about all the
possible options, and you'll probably need openssl-devel installed
(and many other development packages, too).
Arno
> Sébastien
>
> Sébastien Weber a écrit :
>> ok
>>
>> # ldd bacula-dir
>> linux-vdso.so.1 => (0x00007fff79dff000)
>> libpython2.5.so.1.0 => /usr/lib/libpython2.5.so.1.0
>> (0x00007f1a7174f000)
>> libutil.so.1 => /lib/libutil.so.1 (0x00007f1a7154c000)
>> librt.so.1 => /lib/librt.so.1 (0x00007f1a71343000)
>> libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x00007f1a710cd000)
>> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f1a70eb1000)
>> libdl.so.2 => /lib/libdl.so.2 (0x00007f1a70cad000)
>> libwrap.so.0 => /lib/libwrap.so.0 (0x00007f1a70aa4000)
>> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f1a70798000)
>> libm.so.6 => /lib/libm.so.6 (0x00007f1a70515000)
>> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f1a702fe000)
>> libc.so.6 => /lib/libc.so.6 (0x00007f1a6ffab000)
>> /lib64/ld-linux-x86-64.so.2 (0x00007f1a71ac4000)
>> libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1a6fd93000)
>>
>> I don't have libssl.so ><
>>
>> Sébastien
>>
>> Arno Lehmann a écrit :
>>
>>> Hi,
>>>
>>> 22.04.2009 15:26, Sébastien Weber wrote:
>>>
>>>> Thx for your Quick-reply.
>>>> But I have a certificat on www.cacert.org ( the certificat its ok,
>>>> on the old server certificate worked. )
>>>> When I use, i have a error message : "Fatal error: TLS required but
>>>> not configured in Bacula."
>>>> Bacula requires another package/daemon/... (or just configuration?)
>>>> to use TLS certificate?
>>>> openssl is requires just for used TLS certificate by bacula ?
>>>>
>>> You probably run a version of Bacula without openssl support (iirc,
>>> due to license incomaptibilities, some distros don't include ssl
>>> support in Bacula).
>>>
>>> You can verify this by running 'ldd /path/to/bacula-dir'. If you see
>>> a reference to libssl, it's a configuration issue. If you don't see
>>> that reference, you'll have to use another repository to install, or
>>> compile yourself.
>>>
>>> Here, for example, on a test system I see
>>>
>>> bacula@gnom:/usr/local/demo-bacula> ldd sbin/bacula-dir | grep ssl
>>> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7c5e000)
>>>
>>> Arno
>>>
>>>
>>>> I don't used "./configure (option)", but used "apt-get install" for
>>>> instal bacula :s
>>>> doc:"/Appropriate autoconf macros have been added to detect and use
>>>> OpenSSL if enabled on the ./configure line with --with-openssl/"
>>>>
>>>>
>>>> how to become your own Certificate Authority so you can create your
>>>> own certificates.
>>>> That's good to know, thx :)
>>>>
>>>>
>>>> Sébastien
>>>>
>>>> Maarten Hoogveld a écrit :
>>>>
>>>>> Sorry, accidently pressed the send button before the mail was
>>>>> completed (Now why didn't I look into that gmail undo-send button
>>>>> yesterday)
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have instal bacula with "# apt-get install bacula" in debian
>>>>> linux.
>>>>> I have my backups that works, but is not securised with TLS...
>>>>> When used TLS, i have erreor message :
>>>>> "Fatal error: TLS required but not configured in Bacula."
>>>>>
>>>>> How to use TLS ? where configure used TLS with this install ?
>>>>>
>>>>>
>>>>> Hi Sébastien,
>>>>>
>>>>> Check out the Bacula documentation on TLS
>>>>> <http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>.
>>>>> The example configs are a good start.
>>>>> Also check out OpenSSL docs on how to become your own Certificate
>>>>> Authority so you can create your own certificates.
>>>>> This may take some effort and time if you are unfarmilliar with
>>>>> certificates. Without the right certificates it will not work.
>>>>> OpenSSL has some functionality with which you can check the
>>>>> certificates. You can create some sort of server and try to connect
>>>>> to it but I don't remember how that works anymore. Google for it.
>>>>> It's important to start with the simplest solution (e.g. no TLS)
>>>>> and then gradually add some TLS features. (So don't start with the
>>>>> "TLS Allowed CN" or something like that. Add that when the plain
>>>>> TLS connection works.)
>>>>> Also important to understanding what's going on is to figure out
>>>>> what connects to what. The part about firewalls
>>>>> <http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html>
>>>>> in the Bacula documentation has a small and useful overview of
>>>>> that. For the TLS connection the "client" is the connecting party
>>>>> and the server is the party being connected to. Example: When the
>>>>> bacula-dir connects to the bacula-fd, the bacula-dir is the client
>>>>> and the bacula-fd is the server. (See comments in the example
>>>>> configs in the Director resource of the bacula-fd config)
>>>>>
>>>>> I have created some scripts to create and sign my own certificates
>>>>> because I just can't remember the command line options for openssl.
>>>>> They are used in a Fedora 6 environment so you may have to change
>>>>> some paths to match your setup.
>>>>> Before you can use these scripts you need:
>>>>> - A proper openssl config file
>>>>> Place the file location in create.sh at the [openssl.cnf] placeholder
>>>>> - Your self-signed root-certificate and private key
>>>>> Place them in their placeholders [ca.crt] and [ca.key] in the
>>>>> sign script
>>>>> - Check all paths in sign.sh (/etc/pki/CA/ in my installation) and
>>>>> make sure they match your setup.
>>>>> (Note: The sign script is not mine, I found it on the internet
>>>>> somewhere and don't remember who wrote it so I can't give credit.)
>>>>>
>>>>>
>>>>> Of course this doesn't explain TLS fully but I hope this helps a bit.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Maarten Hoogveld
>>>>>
>>>>>
>>>>> *create.sh* A script to create a new key-pair and a cert-sign-request.
>>>>>
>>>>> #!/bin/bash
>>>>> FILE_BASE=$1
>>>>> if [ $# -ne 1 ]; then
>>>>> echo "Usage: $0 <base-filename>"
>>>>> echo " Creates a key-pair and csr (Certificate Signing Request)"
>>>>> echo " File created are <base-filename>.key and
>>>>> <base-filename>.crt."
>>>>> exit 1
>>>>> fi
>>>>>
>>>>> if [ -e ${FILE_BASE}.key ]; then
>>>>> echo "File ${FILE_BASE}.key already exists."
>>>>> echo "Exiting."
>>>>> exit 1;
>>>>> fi
>>>>>
>>>>> openssl req -config /[openssl.cnf]/ -new -nodes -keyout
>>>>> ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730
>>>>>
>>>>> echo "Done."
>>>>>
>>>>>
>>>>> *sign.sh* A script to sign a sign-request
>>>>>
>>>>> #!/bin/sh
>>>>> # argument line handling
>>>>> CSR=$1
>>>>> if [ $# -ne 1 ]; then
>>>>> echo "Usage: ${0} <whatever>.csr"; exit 1
>>>>> fi
>>>>> if [ ! -f $CSR ]; then
>>>>> echo "CSR not found: $CSR"; exit 1
>>>>> fi
>>>>> case $CSR in
>>>>> *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
>>>>> * ) CERT="$CSR.crt" ;;
>>>>> esac
>>>>> # make sure environment exists
>>>>> if [ ! -d ca.db.certs ]; then
>>>>> mkdir ca.db.certs
>>>>> fi
>>>>> if [ ! -f ca.db.serial ]; then
>>>>> echo '01' >ca.db.serial
>>>>> fi
>>>>> if [ ! -f ca.db.index ]; then
>>>>> cp /dev/null ca.db.index
>>>>> fi
>>>>> # create an own SSLeay config
>>>>> cat > ca.config <<EOT
>>>>> [ ca ]
>>>>> default_ca = CA_own
>>>>> [ CA_own ]
>>>>> dir = /etc/pki/CA
>>>>> certs = /etc/pki/CA/certs
>>>>> new_certs_dir = /etc/pki/CA/ca.db.certs
>>>>> database = /etc/pki/CA/ca.db.index
>>>>> serial = /etc/pki/CA/ca.db.serial
>>>>> RANDFILE = /etc/pki/CA/ca.db.rand
>>>>> certificate = /etc/pki/CA/certs//[ca.crt]/
>>>>> private_key = /etc/pki/CA/private//[ca.//key//]/
>>>>> default_days = 730
>>>>> default_crl_days = 30
>>>>> default_md = md5
>>>>> preserve = no
>>>>> policy = policy_anything
>>>>> [ policy_anything ]
>>>>> countryName = optional
>>>>> stateOrProvinceName = optional
>>>>> localityName = optional
>>>>> organizationName = optional
>>>>> organizationalUnitName = optional
>>>>> commonName = supplied
>>>>> emailAddress = optional
>>>>> EOT
>>>>> # sign the certificate
>>>>> echo "CA signing: $CSR -> $CERT:"
>>>>> openssl ca -config ca.config -out $CERT -infiles $CSR
>>>>> echo "CA verifying: $CERT <-> CA cert"
>>>>> openssl verify -CAfile /etc/pki/CA/certs//[ca.crt]/ $CERT
>>>>> # cleanup after SSLeay
>>>>> /bin/rm -f ca.config
>>>>> /bin/rm -f ca.db.serial.old
>>>>> /bin/rm -f ca.db.index.old
>>>>> # die gracefully
>>>>> exit 0
>>>>>
>>>>>
>>>>> *export.sh* A script to tidy up the files and put them into
>>>>> separate folders for archival
>>>>>
>>>>> #!/bin/bash
>>>>> FILE_BASE=$1
>>>>> if [ $# -ne 1 ]; then
>>>>> echo "Usage: $0 <base-filename>"
>>>>> echo " If <base-filename>.key and <base-filename>.crt exist:"
>>>>> echo " <base-filename>.key will be moved to ./export/private"
>>>>> echo " <base-filename>.crt will be moved to ./export/certs"
>>>>> echo " <base-filename>.csr will be deleted if it exists"
>>>>> exit 1
>>>>> fi
>>>>>
>>>>> if [ ! -e ${FILE_BASE}.key ]; then
>>>>> echo "File ${FILE_BASE}.key does not exist!"
>>>>> exit 1;
>>>>> fi
>>>>>
>>>>> if [ ! -e ${FILE_BASE}.crt ]; then
>>>>> echo "File ${FILE_BASE}.crt does not exist!"
>>>>> exit 1;
>>>>> fi
>>>>>
>>>>> if [ ! -d export/certs ]; then
>>>>> echo "Destination ./export/certs does not exist. Please create
>>>>> this directory and try again."
>>>>> exit 1;
>>>>> fi
>>>>> if [ ! -d export/private ]; then
>>>>> echo "Destination ./export/private does not exist. Please create
>>>>> this directory and try again."
>>>>> exit 1;
>>>>> fi
>>>>>
>>>>> mv ${FILE_BASE}.key export/private
>>>>> chmod 0400 export/private/${FILE_BASE}.key
>>>>>
>>>>> mv ${FILE_BASE}.crt export/certs
>>>>>
>>>>> if [ -e ${FILE_BASE}.csr ]; then
>>>>> rm ${FILE_BASE}.csr
>>>>> fi
>>>>>
>>>>> echo "Done."
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>>
>>>> Stay on top of everything new and different, both inside and around
>>>> Java (TM) technology - register by April 22, and save
>>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>>> 300 plus technical and hands-on sessions. Register today. Use
>>>> priority code J9JMT32. http://p.sf.net/sfu/p
>>>> _______________________________________________
>>>> Bacula-users mailing list
>>>> Bacula-users AT lists.sourceforge DOT net
>>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>>
>>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> Stay on top of everything new and different, both inside and around
>> Java (TM) technology - register by April 22, and save
>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> 300 plus technical and hands-on sessions. Register today. Use priority
>> code J9JMT32. http://p.sf.net/sfu/p
>> _______________________________________________
>> Bacula-users mailing list
>> Bacula-users AT lists.sourceforge DOT net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|