2011/10/31 sabrina bomel <sabrinabomel AT gmail DOT com>
>
> Hello,
>
> I've got a server on Debian Squeeze. I've put Bacula 5.0.2.
> My config, est that, i've put the Director, the Storage and the Console on
> the server.
> I've test it, and it's OK. I can backup and restore clients.
> Then, i wanted to secure it. So i've tried to put TLS.
> I follow this doc :
> http://www.opendoc.net/solutions/comment-sauvegarder-avec-bacula#bacula-tls
> And I follow the doc too :
> http://www.freebsddiary.org/bacula-tls.php
> And i've got this message, when i tape bconsole :
> root@SRVBACULA01:/etc/bacula# bconsole
> Connecting to Director srvbacula01.wmsc.re:9101
> TLS negotiation failed
> Director authorization problem.
> Most likely the passwords do not agree.
> If you are using TLS, there may have been a certificate validation error
> during the TLS handshake.
> Please see
> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
> for help.
>
> So i create a non-password version certificate, as shown on freebsddiary.
> And i've got the same message above.
> And i look in the log (var/log/syslog ), and there's this messages :
> Oct 31 17:37:49 SRVBACULA01 bacula-console: bnet.c:306 TLS host certificate
> verification failed. Host name "srvbacula01.wmsc.re" did not match presented
> certificate
> Oct 31 17:37:49 SRVBACULA01 bacula-dir: bnet.c:258 TLS certificate
> verification failed. Peer certificate did not match a required commonName
>
> So i'm lost.
> I've modificated my host's file.
> I think, that's my certificate. If someone have a procedure, i'll be happy.
>
You need to make sure that the address attribute in the client section
matches the CN of the client's certificate. You also need to make sure
that the name of the director machine matches the CN of it's cert on
the client. Then I have the following. On Director:
Director { # define myself
Name = jon-dir
DIRport = 9101 # where we listen for UA connections
...
# TLS Security
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "jon" # important if doing NAT Or DNS doesn't
return what you want
TLS CA Certificate File = /etc/ssl/certs/personal-ca.pem
TLS Certificate = /etc/bacula/jon-bacula-2011.pem
TLS Key = /etc/bacula/jon-bacula-2011.key
}
Client {
Name = jen-fd
Address = jen
FDPort = 9102
...
# TLS Security
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/ssl/certs/personal-ca.pem
TLS Certificate = /etc/bacula/jon-bacula-2011.pem
TLS Key = /etc/bacula/jon-bacula-2011.key
}
On client:
Director {
Name = jon-dir
...
# TLS Security
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "jon" # important if doing NAT Or DNS doesn't
return what you want
TLS CA Certificate File = /etc/bacula/personal-ca.pem
TLS Certificate = /etc/bacula/jen-bacula-2011.pem
TLS Key = /etc/bacula/jen-bacula-2011.key
}
FileDaemon { # this is me
Name = jen-fd
FDport = 9102 # where we listen for the director
...
# TLS Security
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bacula/personal-ca.pem
TLS Certificate = /etc/bacula/jen-bacula-2011.pem
TLS Key = /etc/bacula/jen-bacula-2011.key
}
These are my notes on creating certificates.
Create CA: # only needed once
/usr/share/ssl/misc/CA.pl -newca
Copy cacert.pem to /etc/apache2/ssl.crt and put it somewhere on the web for
others to reference.
Create cert:
/usr/share/ssl/misc/CA.pl -newreq
answer questions
/usr/share/ssl/misc/CA.pl -sign
Enter CA passphrase
Answer questions
Cert is now signed.
Now to setup for Apache, need to take the passphrase off.
openssl rsa < newkey.pem > eggplant.key
Enter passphrase used with -newreq
mv newcert.pem eggplant.pem
Now you have a cert for your host, the cert is in eggplant.crt the key is in
eggplant.key. The key has no password so you can start your service
without entering a password.
If you're going through a NAT for backups, then it's more work. I've
got that going too, but there are a few things that need to be
modified as well.
------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook
in minutes. BlackBerry App World™ now supports Android™ Apps
for the BlackBerry® PlayBook™. Discover just how easy and simple
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|