Re: [Bacula-users] bacula and tls. Can't get that working
2011-11-08 14:29:07
Verify the keyUsage of your certs.. Try to create a cert with all usages: keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
2011/11/8 Oliver Hoffmann <oh AT dom DOT de>
Hi all,
it is such a hassle to get that running. Could someone guide me please?
1. What I did
I made my own CA using this guide:
https://help.ubuntu.com/community/OpenSSL
Now I have a CA and self-signed keys. So there are server_crt.pem,
server_key.pem and cacert.pem. The common name is always
ba-server.some.domain. I altered the file index.txt.attr. Now it reads
unique_subject = no.
Of course I read this one:
http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
and then that one:
http://www.devco.net/pubwiki/Bacula/TLS/
which was quite helpful. I tried to have an encrypted communication
between the director and bconsole as a first attempt but it doesn't
work.
bconsole.conf looks like:
Director {
Name = ba-server-dir
DIRport = 9101
address = ba-server.some.domain
Password = "mypw"
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
bacula-dir.conf (just the upper part):
Director { # define myself
Name = ba-server-dir
DIRport = 9101 # where we listen for UA connections
QueryFile = "/etc/bacula/scripts/query.sql"
WorkingDirectory = "/var/lib/bacula"
PidDirectory = "/var/run/bacula"
Password = "mypw"
Messages = Daemon
DirAddress = ba-server.some.domain
Heartbeat Interval = 60
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
# TLS Verify Peer = yes
# TLS Allowed CN = "ba-server.some.domain"
TLS CA Certificate File = /etc/bacula/certs/cacert.pem
TLS Certificate = /etc/bacula/certs/server_crt.pem
TLS Key = /etc/bacula/certs/server_key.pem
}
I used TLS Verify Peer and TLS Allowed CN as well before.
2. What I got:
Connecting to Director ba-server.some.domain:9101
TLS negotiation failed
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation
error during the TLS handshake. Please see
http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
for help.
In the log file I see:
08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
certificate at depth: 0, issuer
= /CN=ba-server.some.domain and so on....
ERR=26:unsupported certificate purpose
Thus I searched for "unsupported certificate purpose" and found out
that nsCertType was set to "server". Means both certs have a purpose
called "server". I made a new crt/key with "client". No success.
I couldn't find either how to set nsCertType to nothing or if bacula is
able to ignore such a setting.
Thanks for help!
Greetings,
Oliver
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
-- William Felipe Welter ------------------------------ Consultor em Tecnologias Livres william.welter AT 4linux.com DOT br
www.4linux.com.br
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|