Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] PROBLEM with BACULA TLS

2011-10-31 06:54:03
Subject: Re: [Bacula-users] PROBLEM with BACULA TLS
From: Jon Schewe <jpschewe AT mtu DOT net>
To: sabrina bomel <sabrinabomel AT gmail DOT com>
Date: Mon, 31 Oct 2011 05:52:16 -0500 
2011/10/31 sabrina bomel <sabrinabomel AT gmail DOT com>
>
> Hello,
>
> I've got a server on Debian Squeeze. I've put Bacula 5.0.2.
> My config, est that, i've put the Director, the Storage and the Console on 
> the server.
> I've test it, and it's OK. I can backup and restore clients.
> Then, i wanted to secure it. So i've tried to put TLS.
> I follow this doc : 
> http://www.opendoc.net/solutions/comment-sauvegarder-avec-bacula#bacula-tls
> And I follow the doc too :
> http://www.freebsddiary.org/bacula-tls.php
> And i've got this message, when i tape bconsole :
> root@SRVBACULA01:/etc/bacula# bconsole
> Connecting to Director srvbacula01.wmsc.re:9101
> TLS negotiation failed
> Director authorization problem.
> Most likely the passwords do not agree.
> If you are using TLS, there may have been a certificate validation error 
> during the TLS handshake.
> Please see 
> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
>  for help.
>
> So i create a non-password version certificate, as shown on freebsddiary.
> And i've got the same message above.
> And i look in the log (var/log/syslog ), and there's this messages :
> Oct 31 17:37:49 SRVBACULA01 bacula-console: bnet.c:306 TLS host certificate 
> verification failed. Host name "srvbacula01.wmsc.re" did not match presented 
> certificate
> Oct 31 17:37:49 SRVBACULA01 bacula-dir: bnet.c:258 TLS certificate 
> verification failed. Peer certificate did not match a required commonName
>
> So i'm lost.
> I've modificated my host's file.
> I think, that's my certificate. If someone have a procedure, i'll be happy.
>
You need to make sure that the address attribute in the client section
matches the CN of the client's certificate. You also need to make sure
that the name of the director machine matches the CN of it's cert on
the client. Then I have the following. On Director:
Director {                            # define myself
  Name = jon-dir
  DIRport = 9101                # where we listen for UA connections
  ...
  # TLS Security
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Allowed CN = "jon" # important if doing NAT Or DNS doesn't
return what you want
  TLS CA Certificate File = /etc/ssl/certs/personal-ca.pem
  TLS Certificate = /etc/bacula/jon-bacula-2011.pem
  TLS Key = /etc/bacula/jon-bacula-2011.key
}
Client {
  Name = jen-fd
  Address = jen
  FDPort = 9102
  ...
  # TLS Security
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/ssl/certs/personal-ca.pem
  TLS Certificate = /etc/bacula/jon-bacula-2011.pem
  TLS Key = /etc/bacula/jon-bacula-2011.key
}
On client:
Director {
  Name = jon-dir
  ...
  # TLS Security
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  # Allow only the Director to connect
  TLS Allowed CN = "jon" # important if doing NAT Or DNS doesn't
return what you want
  TLS CA Certificate File = /etc/bacula/personal-ca.pem
  TLS Certificate = /etc/bacula/jen-bacula-2011.pem
  TLS Key = /etc/bacula/jen-bacula-2011.key
}
FileDaemon {                          # this is me
  Name = jen-fd
  FDport = 9102                  # where we listen for the director
  ...
  # TLS Security
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bacula/personal-ca.pem
  TLS Certificate = /etc/bacula/jen-bacula-2011.pem
  TLS Key = /etc/bacula/jen-bacula-2011.key
}
These are my notes on creating certificates.
Create CA: # only needed once
/usr/share/ssl/misc/CA.pl -newca
Copy cacert.pem to /etc/apache2/ssl.crt and put it somewhere on the web for
others to reference.
Create cert:
/usr/share/ssl/misc/CA.pl -newreq
answer questions
/usr/share/ssl/misc/CA.pl -sign
Enter CA passphrase
Answer questions
Cert is now signed.
Now to setup for Apache, need to take the passphrase off.
openssl rsa < newkey.pem > eggplant.key
Enter passphrase used with -newreq
mv newcert.pem eggplant.pem
Now you have a cert for your host, the cert is in eggplant.crt the key is in
eggplant.key. The key has no password so you can start your service
without entering a password.

If you're going through a NAT for backups, then it's more work. I've
got that going too, but there are a few things that need to be
modified as well.

------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Old version is old..., John Doe
Next by Date:  Re: [Bacula-users] Remove purged disk volumes, Josh Fisher
Previous by Thread:  [Bacula-users] PROBLEM with BACULA TLS, sabrina bomel
Next by Thread:  [Bacula-users] Recycling Volumes, Christopher Geegan
Indexes:  [Date] [Thread] [Top] [All Lists]