Re: [Bacula-users] TLS not working with any certificate

[Andreas Aronsson]

Alright, continuing with the "cacert-track". I changed the master cert to /etc/ssl/certs/cacert.org.pem and got: 08-Mar 15:55 bconsole:  Fatal error: bnet.c:502 TLS host certificate verification failed. Host xxxxx did not match presented certificate TLS negotiation failed Director authorization problem. Then I changed the adress directive to equal the CN in the cert and I'm in (= Thanks Dan! Now I can use bconsole over TLS. But, when I start a job with 'run' and select one I get: 08-Mar 16:12 xxxxx-dir: xxxxx.2006-03-08_16.12.42 Fatal error: Authorization problem: Remote server requires TLS. This tells med that the director cannot use TLS when it's contacting the filedaemon(fd), but bacula-dir.conf looks like: Director {                            # define myself                                                                                                                                         Name = xxxxx-dir ....   TLS Enable = yes   TLS Verify Peer = yes   TLS Allowed CN = "this.example.cxx"   TLS CA Certificate File = /etc/ssl/certs/cacert.org.pem      # This is a server certificate, used for incoming      # console connections.                        TLS Certificate = /etc/ssl/xxxxx/cert.pem   TLS Key = /etc/ssl/xxxxx/key.pem } and bacula-fd.conf: # List Directors who are permitted to contact this File daemon                                                                                                                              #                                                                                                                                                                      ;                      Director {   Name = xxxxx-dir .....     TLS Require = yes   TLS Verify Peer = no      # Allow only the Director to connect                                                                                                                                                     TLS Allowed CN = "this.example.cxx"   TLS CA Certificate File = /etc/ssl/certs/cacert.org.pem      # This is a server certificate. It is used by connecting                                                                                                                                    # directors to verify the authenticity of this file daemon                                                                                                                               TLS Certificate = /etc/ssl/xxxxx/cert.pem   TLS Key = /etc/ssl/xxxxx/key.pem SO the director should be able to TLS, and the fd should let the director in, no? Dan Langille wrote: On 8 Mar 2006 at 15:30, Andreas Aronsson wrote: Hello! I'm new to this list, but I got a lot of time invested in this. Any pointers much appreciated... I'm trying to get bacula to work using TLS. Running Gentoo Linux. I have started out trying to backup the same host as the one the director's residing on. IE dir, sd and fd on the same host. All is dandy with an ordinary setup ( no TLS ) Bacula version 1.38.5 Relevant config as follows (tried to follow http://sourceforge.net/mailarchive/forum.php?thread_id=8938828&forum_id=8650 ) : /////////// start config files bconsole.conf: Director { Name = xxxxx-dir .... TLS Require = yes TLS CA Certificate File = /etc/bacula/master.cert TLS Certificate = /etc/ssl/xxxxx/cert.pem TLS Key = /etc/ssl/xxxxx/key.pem } bacula-dir.conf: Director { # define myself Name = xxxxx-dir .... TLS Enable = yes TLS Verify Peer = yes TLS Allowed CN = "this.example.cxx" TLS CA Certificate File = /etc/bacula/master.cert # # This is a server certificate, used for incoming # # console connections. TLS Certificate = /etc/ssl/xxxxx/cert.pem TLS Key = /etc/ssl/xxxxx/key.pem } ..... Client { Name = xxxxx-fd Address = this.example.cxx .... TLS Require = yes TLS CA Certificate File = /etc/bacula/master.cert # This is a client certificate, used by the director to # connect to the remote file daemon. TLS Certificate = /etc/ssl/xxxxx/cert.pem TLS Key = /etc/ssl/xxxxx/key.pem } bacula-fd.conf: Director { Name = xxxxx-dir ..... TLS Require = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = "this.example.cxx" TLS CA Certificate File = /etc/bacula/master.cert # This is a server certificate. It is used by connecting # directors to verify the authenticity of this file daemon In my case, the above certificiate is the root cert for cacert.org. Is that what you are using here? TLS Certificate = /etc/ssl/xxxxx/cert.pem TLS Key = /etc/ssl/xxxxx/key.pem } bacula-sd.conf: Storage { # definition of myself Name = xxxxx-sd ..... # These TLS configuration options are used for incoming # file daemon connections. Director TLS settings are handled # below. TLS Enable = yes # Peer certificate is not required/requested -- peer validity # is verified by the storage connection cookie provided to the # File Daemon by the director. TLS Verify Peer = no TLS CA Certificate File = /etc/bacula/master.cert # This is a server certificate. It is used by connecting # file daemons to verify the authenticity of this storage daemon TLS Certificate = /etc/ssl/xxxxx/cert.pem TLS Key = /etc/ssl/xxxx/key.pem } ..... Director { Name = xxxxx-dir ..... TLS Require = yes # # Require the connecting director to provide a certificate # # with the matching CN. TLS Verify Peer = yes TLS Allowed CN = "this.example.cxx" TLS CA Certificate File = /etc/bacula/master.cert # # This is a server certificate. It is used by the connecting # # director to verify the authenticity of this storage daemon TLS Certificate = /etc/ssl/xxxxx/cert.pem TLS Key = /etc/ssl/xxxxx/key.pem } /////////// end config files # Now, I've tried with a bought and paid for cert and I get this error message at bconsole: 08-Mar 15:03 bconsole: ERROR in tls.c:107 Error with certificate at depth: 0, issuer =xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxx ERR=20:unable to get local issuer certificate 08-Mar 15:03 bconsole: ERROR in tls.c:83 Connect failure: ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed TLS negotiation failed # I have tried with a cacert.org certificate: 08-Mar 15:22 bconsole: ERROR in tls.c:107 Error with certificate at depth: 0, issuer = /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[EMAIL PROTECTED], subject = /CN=this.example.cxx, ERR=20:unable to get local issuer certificate 08-Mar 15:22 bconsole: ERROR in tls.c:83 Connect failure: ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I think this means you don't have the certificate of the issuer available. This would be used to validate the certificate being presented. # I have also tried with selfsigned certs, one for each daemon according to these instructions: # http://landonf.bikemonkey.org/code/bacula/Configuring_Bacula_Encryption.20060305184424.26351.sandbox.html 08-Mar 15:26 bconsole: ERROR in tls.c:107 Error with certificate at depth: 0, issuer = /C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED], subject = /C=SE/ST=VG/L=GBG/O=Priv/CN=this.example.cxx/[EMAIL PROTECTED], ERR=18:self signed certificate 08-Mar 15:26 bconsole: ERROR in tls.c:83 Connect failure: ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Andreas Aronsson Mobil: +46 704 566 595 www.aron.nu "I'd rather have friends who care than friends who agree with me." - Arlo Guthrie ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users