-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ryan Novosielski wrote:
> I have actually used this resource to set mine up, believe it or
> not. :)
>
> However, my question is about whether or not the CN's have to match
> the DNS name. It appears as if they do. In that case, though, it is
> curious to me why some of the examples that Landon has in the
> manual have Allowed CN = bacula AT example.whatever DOT com, since no host
> name will ever have bacula@anything in it. Perhaps that was only
> for the console, which maybe does not have this restriction. Not
> sure.
Yes. Because when one of the services (director, storage or client)
contact another service then Bacula try to match the FQDN name being
used in the communication with the CN one within the Certificate of
the contacted host.

So, you must use each FQDN used to contact every host in the CN of
their certificates.

Hope that helps.
>
> =R
>
> Franky Almonte wrote:
>> The CN in the conf file must match the CN of the Certificate
>> used.
>
>> TLS setup is a little complicated. This link explains how to
>> setup
> TLS:
>> http://www.devco.net/pubwiki/Bacula/TLS
>
>> Note: you must create your own CA to get TLS done.
>> http://www.tc.umn.edu/~brams006/selfsign.html
>
>> Ryan Novosielski wrote:
>>> I am having an issue with Bacula TLS. I've seen some places
>>> that it's required to have the CN match the hostname. Then in
>>> various places, I see stuff like this: # # List Directors who
>>> are permitted to contact Storage daemon # Director { Name =
>>> backup1-dir ... TLS Enable = yes TLS Require = yes # Require
>>> the connecting director to provide a certificate # with the
>>> matching CN. TLS Verify Peer = yes TLS Allowed CN =
>>> "bacula AT backup1.example DOT com" TLS CA Certificate File =
>>> /usr/local/etc/ssl/ca.pem # This is a server certificate. It is
>>>  used by the connecting # director to verify the authenticity
>>> of this storage daemon TLS Certificate =
>>> /usr/local/etc/ssl/backup1/cert.pem TLS Key =
>>> /usr/local/etc/ssl/backup1/key.pem } I'd prefer to use
>>> bacula AT hostname.domain DOT edu for the CN, but when I tried that, I
>>> got this error: --- 15-Aug 17:28 helios-dir JobId 0: Fatal
>>> error: TLS negotiation failed with FD at
>>> "kittatinny.umdnj.edu:9102". 15-Aug 17:28 helios-dir JobId 0:
>>> Fatal error: bnet.c:307 TLS host certificate verification
>>> failed. Host kittatinny.umdnj.edu did not match presented
>>> certificate --- Can anyone help me understand how the CN is
>>> really used here? Is it required to be the hostname? If so,
>>> where is the CNAME like the example coming from?
>>
> -------------------------------------------------------------------------
>
>> This SF.Net email is sponsored by the Moblin Your Move
>> Developer's challenge Build the coolest Linux based applications
>> with Moblin SDK & win great prizes Grand prize is a trip for two
>> to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>
>> ----------------------------------------------------------------------
>>
>
>> _______________________________________________ Bacula-users
>> mailing list Bacula-users AT lists.sourceforge DOT net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>
> -------------------------------------------------------------------------
>  This SF.Net email is sponsored by the Moblin Your Move Developer's
>  challenge Build the coolest Linux based applications with Moblin
> SDK & win great prizes Grand prize is a trip for two to an Open
> Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________ Bacula-users
> mailing list Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>
- -------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

- ----------------------------------------------------------------------

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

- --
Franky Almonte
Soporte Técnico de Administración de Sistemas
Oficina 829-739-1203
Móvil     829-970-7167
Correo     falmonte AT onemax DOT com

Calle Central #100 Esq. Calle A, Zona Industrial de Herrera
Santo Domingo, 11005 República Dominicana
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIp8zPd+WQpBlbLw4RAvFtAJ9L94zHGFK6GjgvFgSZjuSiei3wlQCfVFSa
HTjVRU2APZRPmp4HeZvemRQ=
=rmvU
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users