Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in

Thx for your Quick-reply.
But I have a certificat on www.cacert.org ( the certificat its ok, on 
the old server certificate worked. )
When I use, i have a error message : "Fatal error: TLS required but not 
configured in Bacula."
Bacula requires another package/daemon/...  (or just configuration?) to 
use TLS certificate?
openssl is requires just for used TLS certificate by bacula ?

I don't used "./configure (option)", but used "apt-get install" for 
instal bacula :s
doc:"/Appropriate autoconf macros have been added to detect and use 
OpenSSL if enabled on the ./configure line with --with-openssl/"


how to become your own Certificate Authority so you can create your own 
certificates.
That's good to know, thx :)


Sébastien

Maarten Hoogveld a écrit :
> Sorry, accidently pressed the send button before the mail was 
> completed  (Now why didn't I look into that gmail undo-send button 
> yesterday)
>
>     Hi,
>
>     I have instal bacula with "# apt-get install bacula" in debian linux.
>     I have my backups that works, but is not securised with TLS...
>     When used TLS, i have erreor message :
>     "Fatal error: TLS required but not configured in Bacula."
>
>     How to use TLS ? where configure used TLS with this install ?
>
>
> Hi Sébastien,
>
> Check out  the Bacula documentation on TLS 
> <http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>. 
> The example configs are a good start.
> Also check out OpenSSL docs on how to become your own Certificate 
> Authority so you can create your own certificates.
> This may take some effort and time if you are unfarmilliar with 
> certificates. Without the right certificates it will not work.
> OpenSSL has some functionality with which you can check the 
> certificates. You can create some sort of server and try to connect to 
> it but I don't remember how that works anymore. Google for it.
> It's important to start with the simplest solution (e.g. no TLS) and 
> then gradually add some TLS features. (So don't start with the "TLS 
> Allowed CN" or something like that. Add that when the plain TLS 
> connection works.)
> Also important to understanding what's going on is to figure out what 
> connects to what. The part about firewalls 
> <http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html> in 
> the Bacula documentation has a small and useful overview of that. For 
> the TLS connection the "client" is the connecting party and the server 
> is the party being connected to. Example: When the bacula-dir connects 
> to the bacula-fd, the bacula-dir is the client and the bacula-fd is 
> the server. (See comments in the example configs in the Director 
> resource of the bacula-fd config)
>
> I have created some scripts to create and sign my own certificates 
> because I just can't remember the command line options for openssl. 
> They are used in a Fedora 6 environment so you may have to change some 
> paths to match your setup.
> Before you can use these scripts you need:
> - A proper openssl config file
>  Place the file location in create.sh at the [openssl.cnf] placeholder
> - Your self-signed root-certificate and private key
>   Place them in their placeholders [ca.crt] and [ca.key] in the sign 
> script
> - Check all paths in sign.sh (/etc/pki/CA/ in my installation) and 
> make sure they match your setup.
> (Note: The sign script is not mine, I found it on the internet 
> somewhere and don't remember who wrote it  so I can't give credit.)
>
>
> Of course this doesn't explain TLS fully but I hope this helps a bit.
>
>
> Regards,
> Maarten Hoogveld
>
>
> *create.sh* A script to create a new key-pair and a cert-sign-request.
>
> #!/bin/bash
> FILE_BASE=$1
> if [ $# -ne 1 ]; then
>   echo "Usage: $0 <base-filename>"
>   echo "  Creates a key-pair and csr (Certificate Signing Request)"
>   echo "  File created are <base-filename>.key and <base-filename>.crt."
>   exit 1
> fi
>
> if [ -e ${FILE_BASE}.key ]; then
>   echo "File ${FILE_BASE}.key already exists."
>   echo "Exiting."
>   exit 1;
> fi
>
> openssl req -config /[openssl.cnf]/ -new -nodes -keyout 
> ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730
>
> echo "Done."
>
>
> *sign.sh*  A script to sign a sign-request
>
> #!/bin/sh
> #   argument line handling
> CSR=$1
> if [ $# -ne 1 ]; then
>   echo "Usage: ${0} <whatever>.csr"; exit 1
> fi
> if [ ! -f $CSR ]; then
>   echo "CSR not found: $CSR"; exit 1
> fi
> case $CSR in
>   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
>   * ) CERT="$CSR.crt" ;;
> esac
> #   make sure environment exists
> if [ ! -d ca.db.certs ]; then
>   mkdir ca.db.certs
> fi
> if [ ! -f ca.db.serial ]; then
>   echo '01' >ca.db.serial
> fi
> if [ ! -f ca.db.index ]; then
>   cp /dev/null ca.db.index
> fi
> #   create an own SSLeay config
> cat > ca.config <<EOT
> [ ca ]
> default_ca      = CA_own
> [ CA_own ]
> dir     = /etc/pki/CA
> certs   = /etc/pki/CA/certs
> new_certs_dir   = /etc/pki/CA/ca.db.certs
> database        = /etc/pki/CA/ca.db.index
> serial  = /etc/pki/CA/ca.db.serial
> RANDFILE        = /etc/pki/CA/ca.db.rand
> certificate     = /etc/pki/CA/certs//[ca.crt]/
> private_key     = /etc/pki/CA/private//[ca.//key//]/
> default_days    = 730
> default_crl_days        = 30
> default_md      = md5
> preserve        = no
> policy  = policy_anything
> [ policy_anything ]
> countryName     = optional
> stateOrProvinceName     = optional
> localityName    = optional
> organizationName        = optional
> organizationalUnitName  = optional
> commonName      = supplied
> emailAddress    = optional
> EOT
> #  sign the certificate
> echo "CA signing: $CSR -> $CERT:"
> openssl ca -config ca.config -out $CERT -infiles $CSR
> echo "CA verifying: $CERT <-> CA cert"
> openssl verify -CAfile /etc/pki/CA/certs//[ca.crt]/ $CERT
> #  cleanup after SSLeay
> /bin/rm -f ca.config
> /bin/rm -f ca.db.serial.old
> /bin/rm -f ca.db.index.old
> #  die gracefully
> exit 0
>
>
> *export.sh*   A script to tidy up the files and put them into separate 
> folders for archival
>
> #!/bin/bash
> FILE_BASE=$1
> if [ $# -ne 1 ]; then
>   echo "Usage: $0 <base-filename>"
>   echo "  If <base-filename>.key and <base-filename>.crt exist:"
>   echo "  <base-filename>.key will be moved to ./export/private"
>   echo "  <base-filename>.crt will be moved to ./export/certs"
>   echo "  <base-filename>.csr will be deleted if it exists"
>   exit 1
> fi
>
> if [ ! -e ${FILE_BASE}.key ]; then
>   echo "File ${FILE_BASE}.key does not exist!"
>   exit 1;
> fi
>
> if [ ! -e ${FILE_BASE}.crt ]; then
>   echo "File ${FILE_BASE}.crt does not exist!"
>   exit 1;
> fi
>
> if [ ! -d export/certs ]; then
>   echo "Destination ./export/certs does not exist. Please create this 
> directory and try again."
>   exit 1;
> fi
> if [ ! -d export/private ]; then
>   echo "Destination ./export/private does not exist. Please create 
> this directory and try again."
>   exit 1;
> fi
>
> mv ${FILE_BASE}.key export/private
> chmod 0400 export/private/${FILE_BASE}.key
>
> mv ${FILE_BASE}.crt export/certs
>
> if [ -e ${FILE_BASE}.csr ]; then
>   rm ${FILE_BASE}.csr
> fi
>
> echo "Done."
>
>
>

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula.
