Hi Tim,
I have a similar configuration. I think that the proble is in the CN:
CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
please could you show the value for DirAddress = bacula.example.org
in my case:
DirAddress = bacula.example.org
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
TLS Certificate = /etc/bacula/certs/cert/bacula.crt
TLS Key = /etc/bacula/certs/key/bacula.key
Looking at the cert:
openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
bacula.example.org
The CN must be the sme that DirAddress (I did not use email address for
cert sign)
Regards, I
2013/11/27 Tim Dunphy <bluethu...@gmail.com>
> Hello all,
>
>
> I'm trying to add TLS encryption to my bacula setup.
>
>
>
> I've been following this guide which got me almost all of the way there:
>
>
> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
>
>
> I modified the following sections in my bacula-dir.conf file:
>
>
> Director { # define myself
>
> Name = storage.jokefire.com
>
> DIRport = 9101 # where we listen for UA connections
>
> QueryFile = "/etc/bacula/query.sql"
>
> WorkingDirectory = "/var/spool/bacula"
>
> PidDirectory = "/var/run"
>
> Maximum Concurrent Jobs = 1
>
> Password = "secret" # Console password
>
> Messages = Daemon
>
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
> TLS Enable = yes
>
> TLS Require = yes
>
> TLS Verify Peer = yes
>
> }
>
>
> Client {
>
> Name = ops.jokefire.com
>
> Address = ops.jokefire.com
>
> FDPort = 9102
>
> Catalog = JokefireCatalog
>
> Password = "secret" # password for FileDaemon
>
> File Retention = 14 days # 14 days
>
> Job Retention = 14d # 14 days
>
> AutoPrune = yes # Prune expired Jobs/Files
>
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
> TLS Enable = yes
>
> TLS Require = yes
>
> }
>
>
>
> And in my bacula-fd.conf
>
>
> Director {
>
> Name = storage.jokefire.com
>
> Password = "secret"
>
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
> TLS Enable = yes
>
> TLS Require = yes
>
> }
>
>
> FileDaemon { # this is me
>
> Name = storage.jokefire.com
>
> FDport = 9102 # where we listen for the director
>
> WorkingDirectory = /var/bacula
>
> Pid Directory = /var/run
>
> Maximum Concurrent Jobs = 20
>
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
> TLS Enable = yes
>
> TLS Require = yes
>
> }
>
>
> In bacula-sd.conf:
>
>
> Storage { # definition of myself
>
> Name = storage.jokefire.com
>
> SDPort = 9103 # Director's port
>
> WorkingDirectory = "/var/spool/bacula"
>
> Pid Directory = "/var/run"
>
> Maximum Concurrent Jobs = 20
>
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
> TLS Enable = yes
>
> TLS Require = yes
>
> TLS Verify Peer = yes
>
> }
>
>
> And finally in bconsole.conf:
>
>
> Director {
>
> Name = storage.jokefire.com
>
> DIRport = 9101
>
> address = storage.jokefire.com
>
> Password = "secret"
>
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>
> TLS Enable = yes
>
> TLS Require = yes
>
> }
>
>
> Then I bounced the services so all seems well at this point:
>
>
> [root@storage:/etc/bacula] #bounce-bacula
>
> Stopping Bacula Storage services: [ OK ]
>
> Starting Bacula Storage services: [ OK ]
>
> Stopping Bacula File services: [ OK ]
>
> Starting Bacula File services: [ OK ]
>
> Stopping Bacula Director services: [ OK ]
>
> Starting Bacula Director services: [ OK ]
>
>
> (wrote a script to bounce all services because I'm lazy)
>
>
> But when I go into bconsole I get the following (until I restore from
> backup)
>
>
> [root@storage:/etc/bacula] #bconsole
>
> Connecting to Director storage.jokefire.com:9101
>
> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
> depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
> storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
> /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
> storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self
> signed certificate
>
> TLS negotiation failed
>
> Director authorization problem.
>
> Most likely the passwords do not agree.
>
> If you are using TLS, there may have been a certificate validation error
> during the TLS handshake.
>
> Please see
> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
> help.
>
>
> I've saved my work with TLS so I'm eager to get this going. I used the
> following guide to generating the certs, and I'm wondering if the problem
> could possibly be in the way I generated the certs?
>
>
>
> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
>
>
> Thanks for any and all advice!
>
>
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>
--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
*"El problema con el mundo es que los estúpidos están seguros de todo y los
inteligentes están llenos de dudas*"
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users