Hi all,
it is such a hassle to get that running. Could someone guide me please? 1. What I did I made my own CA using this guide: https://help.ubuntu.com/community/OpenSSL Now I have a CA and self-signed keys. So there are server_crt.pem, server_key.pem and cacert.pem. The common name is always ba-server.some.domain. I altered the file index.txt.attr. Now it reads unique_subject = no. Of course I read this one: http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html and then that one: http://www.devco.net/pubwiki/Bacula/TLS/ which was quite helpful. I tried to have an encrypted communication between the director and bconsole as a first attempt but it doesn't work. bconsole.conf looks like: Director { Name = ba-server-dir DIRport = 9101 address = ba-server.some.domain Password = "mypw" TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } bacula-dir.conf (just the upper part): Director { # define myself Name = ba-server-dir DIRport = 9101 # where we listen for UA connections QueryFile = "/etc/bacula/scripts/query.sql" WorkingDirectory = "/var/lib/bacula" PidDirectory = "/var/run/bacula" Password = "mypw" Messages = Daemon DirAddress = ba-server.some.domain Heartbeat Interval = 60 Maximum Concurrent Jobs = 20 TLS Enable = yes TLS Require = yes # TLS Verify Peer = yes # TLS Allowed CN = "ba-server.some.domain" TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } I used TLS Verify Peer and TLS Allowed CN as well before. 2. What I got: Connecting to Director ba-server.some.domain:9101 TLS negotiation failed Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help. In the log file I see: 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /CN=ba-server.some.domain and so on.... ERR=26:unsupported certificate purpose Thus I searched for "unsupported certificate purpose" and found out that nsCertType was set to "server". Means both certs have a purpose called "server". I made a new crt/key with "client". No success. I couldn't find either how to set nsCertType to nothing or if bacula is able to ignore such a setting. Thanks for help! Greetings, Oliver ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users