Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] bacula and tls. Can't get that working

2011-11-08 13:04:36
Subject: [Bacula-users] bacula and tls. Can't get that working
From: Oliver Hoffmann <oh AT dom DOT de>
To: Bacula-users AT lists.sourceforge DOT net
Date: Tue, 8 Nov 2011 19:01:28 +0100 
Hi all,


it is such a hassle to get that running. Could someone guide me please?

1. What I did

I made my own CA using this guide:
https://help.ubuntu.com/community/OpenSSL
Now I have a CA and self-signed keys. So there are server_crt.pem,
server_key.pem and cacert.pem. The common name is always
ba-server.some.domain. I altered the file index.txt.attr. Now it reads
unique_subject = no.

Of course I read this one:
http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
and then that one:
http://www.devco.net/pubwiki/Bacula/TLS/
which was quite helpful. I tried to have an encrypted communication
between the director and bconsole as a first attempt but it doesn't
work.

bconsole.conf looks like:

Director {
  Name = ba-server-dir
  DIRport = 9101
  address = ba-server.some.domain
  Password = "mypw"
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bacula/certs/cacert.pem
  TLS Certificate = /etc/bacula/certs/server_crt.pem
  TLS Key = /etc/bacula/certs/server_key.pem
}

bacula-dir.conf (just the upper part):

Director {                            # define myself
  Name = ba-server-dir
  DIRport = 9101                # where we listen for UA connections
  QueryFile = "/etc/bacula/scripts/query.sql"
  WorkingDirectory = "/var/lib/bacula"
  PidDirectory = "/var/run/bacula"
  Password = "mypw"
  Messages = Daemon
  DirAddress = ba-server.some.domain
  Heartbeat Interval = 60
  Maximum Concurrent Jobs = 20

  TLS Enable = yes
  TLS Require = yes
#  TLS Verify Peer = yes
#  TLS Allowed CN = "ba-server.some.domain"
  TLS CA Certificate File = /etc/bacula/certs/cacert.pem
  TLS Certificate = /etc/bacula/certs/server_crt.pem
  TLS Key = /etc/bacula/certs/server_key.pem
}

I used TLS Verify Peer and TLS Allowed CN as well before.


2. What I got:

Connecting to Director ba-server.some.domain:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation
error during the TLS handshake. Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
for help.

In the log file I see:

08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
certificate at depth: 0, issuer
= /CN=ba-server.some.domain and so on....
ERR=26:unsupported certificate purpose 

Thus I searched for "unsupported certificate purpose" and found out
that nsCertType was set to "server". Means both certs have a purpose
called "server". I made a new crt/key with "client". No success. 

I couldn't find either how to set nsCertType to nothing or if bacula is
able to ignore such a setting.

Thanks for help!

Greetings,

Oliver





------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] HELP : MySQL database lost - how best to restore data, Andrea Conti
Next by Date:  Re: [Bacula-users] VSS reporting files corrupted or unreadable, Avery Ceo
Previous by Thread:  [Bacula-users] compression, Randy Katz
Next by Thread:  Re: [Bacula-users] bacula and tls. Can't get that working, william felipe_welter
Indexes:  [Date] [Thread] [Top] [All Lists]