Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] need help (step by step) for setting up certificates

2011-07-24 08:26:21
Subject: Re: [Bacula-users] need help (step by step) for setting up certificates
From: Ben Walton <bwalton AT artsci.utoronto DOT ca>
To: bacula-users <bacula-users AT lists.sourceforge DOT net>
Date: Sun, 24 Jul 2011 08:22:01 -0400 
Excerpts from scar's message of Sun Jul 24 00:12:30 -0400 2011:

> so i tried adding `TLS Allowed CN = "home1"` and still get the same
> error.  however, i tried using the `-d 99` switch for bconsole and
> it reveals something helpful:

You need to make sure that this parameter exactly matches what the
certificate contains.  Maybe you didn't enter a fqdn for the CN in the
cert?  If so, the value is ok.  Otherwise, you should qualify it.

> i tried running bconsole as root so it could read the private key.
> is that necessary?  if not then can i comment out the `TLS Key`
> directive from bconsole.conf?  either way it's still not working:

Can you run this under strace?  It would be useful to see what files
bconsole is opening and stating.  The director side of this could also
be foiling you here too.  Attache strace (or whatever is appropriate
for your platform) to the running director when you try to attach
bconsole would be good too.

The fact that you're getting a validation error makes me think it may
not be able to determine the trust chain by using the public key of
the CA you created.  Most common ssl packages are configured to look
for /usr/lib/ssl/cert.pem (a bundle of CA certs) and then
/usr/lib/ssl/certs/$hash.0 of the CA key where the hash is determined
from the server certificate.  If it's (either end) failing to see that
info, it won't be able to validate your certificate.

For example, the following strace snippets are taken from an openssl
verify command where I did not install the CA certificates:

open("/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
...
stat("/usr/lib/ssl/certs/5caed0db.0", 0x7fff15b409e0) = -1 ENOENT (No such file 
or directory)

The hash for my CA certificate is 5caed0db and the generation is 0.
This could be 1 or 2 or ...depending on local events and the age of
the CA key, etc.

Thanks
-Ben
--
Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302


------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] need help (step by step) for setting up certificates, scar
Next by Date:  Re: [Bacula-users] need help (step by step) for setting up certificates, scar
Previous by Thread:  Re: [Bacula-users] need help (step by step) for setting up certificates, scar
Next by Thread:  Re: [Bacula-users] need help (step by step) for setting up certificates, scar
Indexes:  [Date] [Thread] [Top] [All Lists]