-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2011-11-17 09:18, Manuel Schleiffelder wrote: > On 2011-11-16 18:31, Oliver Hoffmann wrote: >> Hi list, > >> after I set up TLS successfully, I tried to get data encryption >> running. > >> I started with the official documentation: > >> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html > >> ldd `which bacula-fd` shows: > >> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000) >> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ... > >> So, I made the master.cert and the pem file for the client (on >> the bacula server) and set the following in the FileDaemon stanza >> of the bacula-fd.conf: > >> PKI Signatures = Yes # Enable Data Signing PKI >> Encryption = Yes # Enable Data Encryption PKI Keypair >> = "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys >> PKI Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the >> Public Key > >> Starting the bacula-fd gives me: > >> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0: >> Error: crypto.c:462 Provided certificate does not include the >> required subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal >> Error at filed.c:415 because: Failed to load public certificate >> for File daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov >> 17:49 d830-fd: ERROR in filed.c:221 Bitte die Konfigurationsdatei >> korrigieren: /etc/bacula/bacula-fd.conf *** glibc detected *** >> /usr/sbin/bacula-fd: double free or corruption (fasttop): >> 0x0908d1b8 *** > >> Then there follows a backtrace which ends with Kaboom! > >> Neither there was anything useful (in terms of setting a >> subjectKeyIdentifier extension) to be found, nor a better >> bacula-PKI-howto. > >> Could someone give me a hint? > >> Thanks and greetings, > >> Oliver > > > hi Oliver, > > basically this is what i do for PKI (as i assume TLS was already > working); maybe aes256 and 4096bit rsa is overkill ... anyhow: > sorry, the lines got messed up; so again: Generate a Master Key Pair with: - -------------------------------- #> openssl genrsa -aes256 -out master.key 4096 #> openssl req -new -key master.key -x509 -out master.cert Generate a File Daemon Key Pair for each FD: - -------------------------------------------- 1. generate key: #> openssl genrsa -aes256 -out fd-example.key 4096 2. selfsign certificate: #> openssl req -new-key fd-example.key -x509 -out fd-example.cert 3. get rid of key-password (so bacula can read it!) #> openssl rsa -in fd-example.key -out fd-example.nopass.key 4. copy key and cert to pem-file #> cat fd-example.nopass.key fd-example.cert >fd-example.pem > > did you get rid of the my-fd.key password? > > manuel > > > ------------------------------------------------------------------------------ > > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ Bacula-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/bacula-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7EyDIACgkQXYFIxKyMLDQ7IACgjhOuonPY7sb/NoxugcdzX1/u IDMAoMGR04VGR57zEV/uRa4Mn3vCFbiz =6/Cc -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Bacula-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-users
