Re: [Bacula-users] bacula and tls. Can't get that working

> Verify the keyUsage of your certs..
> Try to create a cert with all usages: keyUsage = digitalSignature,
> nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement,
> keyCertSign, cRLSign, encipherOnly, decipherOnly
> 
> 2011/11/8 Oliver Hoffmann <oh AT dom DOT de>
> 
> > Hi all,
> >
> >
> > it is such a hassle to get that running. Could someone guide me
> > please?
> >
> > 1. What I did
> >
> > I made my own CA using this guide:
> > https://help.ubuntu.com/community/OpenSSL
> > Now I have a CA and self-signed keys. So there are server_crt.pem,
> > server_key.pem and cacert.pem. The common name is always
> > ba-server.some.domain. I altered the file index.txt.attr. Now it
> > reads unique_subject = no.
> >
> > Of course I read this one:
> > http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html
> > and then that one:
> > http://www.devco.net/pubwiki/Bacula/TLS/
> > which was quite helpful. I tried to have an encrypted communication
> > between the director and bconsole as a first attempt but it doesn't
> > work.
> >
> > bconsole.conf looks like:
> >
> > Director {
> >  Name = ba-server-dir
> >  DIRport = 9101
> >  address = ba-server.some.domain
> >  Password = "mypw"
> >  TLS Enable = yes
> >  TLS Require = yes
> >  TLS CA Certificate File = /etc/bacula/certs/cacert.pem
> >  TLS Certificate = /etc/bacula/certs/server_crt.pem
> >  TLS Key = /etc/bacula/certs/server_key.pem
> > }
> >
> > bacula-dir.conf (just the upper part):
> >
> > Director {                            # define myself
> >  Name = ba-server-dir
> >  DIRport = 9101                # where we listen for UA connections
> >  QueryFile = "/etc/bacula/scripts/query.sql"
> >  WorkingDirectory = "/var/lib/bacula"
> >  PidDirectory = "/var/run/bacula"
> >  Password = "mypw"
> >  Messages = Daemon
> >  DirAddress = ba-server.some.domain
> >  Heartbeat Interval = 60
> >  Maximum Concurrent Jobs = 20
> >
> >  TLS Enable = yes
> >  TLS Require = yes
> > #  TLS Verify Peer = yes
> > #  TLS Allowed CN = "ba-server.some.domain"
> >  TLS CA Certificate File = /etc/bacula/certs/cacert.pem
> >  TLS Certificate = /etc/bacula/certs/server_crt.pem
> >  TLS Key = /etc/bacula/certs/server_key.pem
> > }
> >
> > I used TLS Verify Peer and TLS Allowed CN as well before.
> >
> >
> > 2. What I got:
> >
> > Connecting to Director ba-server.some.domain:9101
> > TLS negotiation failed
> > Director authorization problem.
> > Most likely the passwords do not agree.
> > If you are using TLS, there may have been a certificate validation
> > error during the TLS handshake. Please see
> >
> > http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000
> > for help.
> >
> > In the log file I see:
> >
> > 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with
> > certificate at depth: 0, issuer
> > = /CN=ba-server.some.domain and so on....
> > ERR=26:unsupported certificate purpose
> >
> > Thus I searched for "unsupported certificate purpose" and found out
> > that nsCertType was set to "server". Means both certs have a purpose
> > called "server". I made a new crt/key with "client". No success.
> >
> > I couldn't find either how to set nsCertType to nothing or if
> > bacula is able to ignore such a setting.
> >
> > Thanks for help!
> >
> > Greetings,
> >
> > Oliver
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > RSA(R) Conference 2012
> > Save $700 by Nov 18
> > Register now
> > http://p.sf.net/sfu/rsa-sfdev2dev1
> > _______________________________________________
> > Bacula-users mailing list
> > Bacula-users AT lists.sourceforge DOT net
> > https://lists.sourceforge.net/lists/listinfo/bacula-users
> >
> 
> 
> 

Thank you. After a while I figured out how to do this. Furthermore I
had "nsCertType = server" in my caconfig.cnf and commented it. Now I
see:
 
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

With such a cert the communication bconsole <--> director finally
works. 

Next I tried to get the local fd talking TLS (with the same cacert, crt
and key), but:

09-Nov 18:01 ba-server-fd: Fatal Error at filed.c:556 because:
Konnte TLS context für Director nicht initialisieren "ba-server-dir"
in /etc/bacula/bacula-fd.conf.

The German sentence means "Couldn't initialize TLS context for director
"ba-server-dir"."

Eventually I got it. The problem was FQDN in the cert but not at
"FDAddress =".

Hence the major issues with TLS and bacula are FQDN confusion and
purposes of certs. That's what I experienced and that's what I found
all the time while searching the web.

Cheers,

Oliver








------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users