Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula.

2009-04-24 03:19:19
Subject: Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula.
From: Sébastien Weber <swr AT peter-holmes DOT com>
To: Arno Lehmann <al AT its-lehmann DOT de>
Date: Fri, 24 Apr 2009 09:12:11 +0200 
What to do for have libssl.so?

Sébastien

Sébastien Weber a écrit :
> ok
>
> # ldd bacula-dir
>         linux-vdso.so.1 =>  (0x00007fff79dff000)
>         libpython2.5.so.1.0 => /usr/lib/libpython2.5.so.1.0 
> (0x00007f1a7174f000)
>         libutil.so.1 => /lib/libutil.so.1 (0x00007f1a7154c000)
>         librt.so.1 => /lib/librt.so.1 (0x00007f1a71343000)
>         libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x00007f1a710cd000)
>         libpthread.so.0 => /lib/libpthread.so.0 (0x00007f1a70eb1000)
>         libdl.so.2 => /lib/libdl.so.2 (0x00007f1a70cad000)
>         libwrap.so.0 => /lib/libwrap.so.0 (0x00007f1a70aa4000)
>         libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f1a70798000)
>         libm.so.6 => /lib/libm.so.6 (0x00007f1a70515000)
>         libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f1a702fe000)
>         libc.so.6 => /lib/libc.so.6 (0x00007f1a6ffab000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f1a71ac4000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1a6fd93000)
>
> I don't have libssl.so ><
>
> Sébastien
>
> Arno Lehmann a écrit :
>   
>> Hi,
>>
>> 22.04.2009 15:26, Sébastien Weber wrote:
>>   
>>     
>>> Thx for your Quick-reply.
>>> But I have a certificat on www.cacert.org ( the certificat its ok, on 
>>> the old server certificate worked. )
>>> When I use, i have a error message : "Fatal error: TLS required but not 
>>> configured in Bacula."
>>> Bacula requires another package/daemon/...  (or just configuration?) to 
>>> use TLS certificate?
>>> openssl is requires just for used TLS certificate by bacula ?
>>>     
>>>       
>> You probably run a version of Bacula without openssl support (iirc, 
>> due to license incomaptibilities, some distros don't include ssl 
>> support in Bacula).
>>
>> You can verify this by running 'ldd /path/to/bacula-dir'. If you see a 
>> reference to libssl, it's a configuration issue. If you don't see that 
>> reference, you'll have to use another repository to install, or 
>> compile yourself.
>>
>> Here, for example, on a test system I see
>>
>> bacula@gnom:/usr/local/demo-bacula> ldd sbin/bacula-dir  | grep ssl
>>          libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7c5e000)
>>
>> Arno
>>
>>   
>>     
>>> I don't used "./configure (option)", but used "apt-get install" for 
>>> instal bacula :s
>>> doc:"/Appropriate autoconf macros have been added to detect and use 
>>> OpenSSL if enabled on the ./configure line with --with-openssl/"
>>>
>>>
>>> how to become your own Certificate Authority so you can create your own 
>>> certificates.
>>> That's good to know, thx :)
>>>
>>>
>>> Sébastien
>>>
>>> Maarten Hoogveld a écrit :
>>>     
>>>       
>>>> Sorry, accidently pressed the send button before the mail was 
>>>> completed  (Now why didn't I look into that gmail undo-send button 
>>>> yesterday)
>>>>
>>>>     Hi,
>>>>
>>>>     I have instal bacula with "# apt-get install bacula" in debian linux.
>>>>     I have my backups that works, but is not securised with TLS...
>>>>     When used TLS, i have erreor message :
>>>>     "Fatal error: TLS required but not configured in Bacula."
>>>>
>>>>     How to use TLS ? where configure used TLS with this install ?
>>>>
>>>>
>>>> Hi Sébastien,
>>>>
>>>> Check out  the Bacula documentation on TLS 
>>>> <http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>. 
>>>> The example configs are a good start.
>>>> Also check out OpenSSL docs on how to become your own Certificate 
>>>> Authority so you can create your own certificates.
>>>> This may take some effort and time if you are unfarmilliar with 
>>>> certificates. Without the right certificates it will not work.
>>>> OpenSSL has some functionality with which you can check the 
>>>> certificates. You can create some sort of server and try to connect to 
>>>> it but I don't remember how that works anymore. Google for it.
>>>> It's important to start with the simplest solution (e.g. no TLS) and 
>>>> then gradually add some TLS features. (So don't start with the "TLS 
>>>> Allowed CN" or something like that. Add that when the plain TLS 
>>>> connection works.)
>>>> Also important to understanding what's going on is to figure out what 
>>>> connects to what. The part about firewalls 
>>>> <http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html> in 
>>>> the Bacula documentation has a small and useful overview of that. For 
>>>> the TLS connection the "client" is the connecting party and the server 
>>>> is the party being connected to. Example: When the bacula-dir connects 
>>>> to the bacula-fd, the bacula-dir is the client and the bacula-fd is 
>>>> the server. (See comments in the example configs in the Director 
>>>> resource of the bacula-fd config)
>>>>
>>>> I have created some scripts to create and sign my own certificates 
>>>> because I just can't remember the command line options for openssl. 
>>>> They are used in a Fedora 6 environment so you may have to change some 
>>>> paths to match your setup.
>>>> Before you can use these scripts you need:
>>>> - A proper openssl config file
>>>>  Place the file location in create.sh at the [openssl.cnf] placeholder
>>>> - Your self-signed root-certificate and private key
>>>>   Place them in their placeholders [ca.crt] and [ca.key] in the sign 
>>>> script
>>>> - Check all paths in sign.sh (/etc/pki/CA/ in my installation) and 
>>>> make sure they match your setup.
>>>> (Note: The sign script is not mine, I found it on the internet 
>>>> somewhere and don't remember who wrote it  so I can't give credit.)
>>>>
>>>>
>>>> Of course this doesn't explain TLS fully but I hope this helps a bit.
>>>>
>>>>
>>>> Regards,
>>>> Maarten Hoogveld
>>>>
>>>>
>>>> *create.sh* A script to create a new key-pair and a cert-sign-request.
>>>>
>>>> #!/bin/bash
>>>> FILE_BASE=$1
>>>> if [ $# -ne 1 ]; then
>>>>   echo "Usage: $0 <base-filename>"
>>>>   echo "  Creates a key-pair and csr (Certificate Signing Request)"
>>>>   echo "  File created are <base-filename>.key and <base-filename>.crt."
>>>>   exit 1
>>>> fi
>>>>
>>>> if [ -e ${FILE_BASE}.key ]; then
>>>>   echo "File ${FILE_BASE}.key already exists."
>>>>   echo "Exiting."
>>>>   exit 1;
>>>> fi
>>>>
>>>> openssl req -config /[openssl.cnf]/ -new -nodes -keyout 
>>>> ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730
>>>>
>>>> echo "Done."
>>>>
>>>>
>>>> *sign.sh*  A script to sign a sign-request
>>>>
>>>> #!/bin/sh
>>>> #   argument line handling
>>>> CSR=$1
>>>> if [ $# -ne 1 ]; then
>>>>   echo "Usage: ${0} <whatever>.csr"; exit 1
>>>> fi
>>>> if [ ! -f $CSR ]; then
>>>>   echo "CSR not found: $CSR"; exit 1
>>>> fi
>>>> case $CSR in
>>>>   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
>>>>   * ) CERT="$CSR.crt" ;;
>>>> esac
>>>> #   make sure environment exists
>>>> if [ ! -d ca.db.certs ]; then
>>>>   mkdir ca.db.certs
>>>> fi
>>>> if [ ! -f ca.db.serial ]; then
>>>>   echo '01' >ca.db.serial
>>>> fi
>>>> if [ ! -f ca.db.index ]; then
>>>>   cp /dev/null ca.db.index
>>>> fi
>>>> #   create an own SSLeay config
>>>> cat > ca.config <<EOT
>>>> [ ca ]
>>>> default_ca      = CA_own
>>>> [ CA_own ]
>>>> dir     = /etc/pki/CA
>>>> certs   = /etc/pki/CA/certs
>>>> new_certs_dir   = /etc/pki/CA/ca.db.certs
>>>> database        = /etc/pki/CA/ca.db.index
>>>> serial  = /etc/pki/CA/ca.db.serial
>>>> RANDFILE        = /etc/pki/CA/ca.db.rand
>>>> certificate     = /etc/pki/CA/certs//[ca.crt]/
>>>> private_key     = /etc/pki/CA/private//[ca.//key//]/
>>>> default_days    = 730
>>>> default_crl_days        = 30
>>>> default_md      = md5
>>>> preserve        = no
>>>> policy  = policy_anything
>>>> [ policy_anything ]
>>>> countryName     = optional
>>>> stateOrProvinceName     = optional
>>>> localityName    = optional
>>>> organizationName        = optional
>>>> organizationalUnitName  = optional
>>>> commonName      = supplied
>>>> emailAddress    = optional
>>>> EOT
>>>> #  sign the certificate
>>>> echo "CA signing: $CSR -> $CERT:"
>>>> openssl ca -config ca.config -out $CERT -infiles $CSR
>>>> echo "CA verifying: $CERT <-> CA cert"
>>>> openssl verify -CAfile /etc/pki/CA/certs//[ca.crt]/ $CERT
>>>> #  cleanup after SSLeay
>>>> /bin/rm -f ca.config
>>>> /bin/rm -f ca.db.serial.old
>>>> /bin/rm -f ca.db.index.old
>>>> #  die gracefully
>>>> exit 0
>>>>
>>>>
>>>> *export.sh*   A script to tidy up the files and put them into separate 
>>>> folders for archival
>>>>
>>>> #!/bin/bash
>>>> FILE_BASE=$1
>>>> if [ $# -ne 1 ]; then
>>>>   echo "Usage: $0 <base-filename>"
>>>>   echo "  If <base-filename>.key and <base-filename>.crt exist:"
>>>>   echo "  <base-filename>.key will be moved to ./export/private"
>>>>   echo "  <base-filename>.crt will be moved to ./export/certs"
>>>>   echo "  <base-filename>.csr will be deleted if it exists"
>>>>   exit 1
>>>> fi
>>>>
>>>> if [ ! -e ${FILE_BASE}.key ]; then
>>>>   echo "File ${FILE_BASE}.key does not exist!"
>>>>   exit 1;
>>>> fi
>>>>
>>>> if [ ! -e ${FILE_BASE}.crt ]; then
>>>>   echo "File ${FILE_BASE}.crt does not exist!"
>>>>   exit 1;
>>>> fi
>>>>
>>>> if [ ! -d export/certs ]; then
>>>>   echo "Destination ./export/certs does not exist. Please create this 
>>>> directory and try again."
>>>>   exit 1;
>>>> fi
>>>> if [ ! -d export/private ]; then
>>>>   echo "Destination ./export/private does not exist. Please create 
>>>> this directory and try again."
>>>>   exit 1;
>>>> fi
>>>>
>>>> mv ${FILE_BASE}.key export/private
>>>> chmod 0400 export/private/${FILE_BASE}.key
>>>>
>>>> mv ${FILE_BASE}.crt export/certs
>>>>
>>>> if [ -e ${FILE_BASE}.csr ]; then
>>>>   rm ${FILE_BASE}.csr
>>>> fi
>>>>
>>>> echo "Done."
>>>>
>>>>
>>>>
>>>>       
>>>>         
>>> ------------------------------------------------------------------------------
>>> Stay on top of everything new and different, both inside and 
>>> around Java (TM) technology - register by April 22, and save
>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>> 300 plus technical and hands-on sessions. Register today. 
>>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>>> _______________________________________________
>>> Bacula-users mailing list
>>> Bacula-users AT lists.sourceforge DOT net
>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>     
>>>       
>>   
>>     
>
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>   

------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] Bacula not finding SD resource properly defined and used by other jobs, Mingus Dew
Next by Date:  Re: [Bacula-users] Bacula not finding SD resource properly defined and used by other jobs, Arno Lehmann
Previous by Thread:  Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula., Sébastien Weber
Next by Thread:  Re: [Bacula-users] Fwd: Fatal error: TLS required but not configured in Bacula., Arno Lehmann
Indexes:  [Date] [Thread] [Top] [All Lists]