HI Tim,
I was pretty sure that the trouble was on the CN, could you tray to
create the cert without the email value??
/emailAddress=bluethu...@gmail.com<http://storage.jokefire.com/emailAddress=bluethu...@gmail.com>,
only CN=storage.jokefire.com.
Have you check too that these files:
/etc/pki/tls/certs/storage.jokefire.com.crt
/etc/pki/tls/private/storage.jokefire.com.key
belongs to bacula user ?
regards, I
2013/11/28 Tim Dunphy <bluethu...@gmail.com>
> Hello Iban! And thank you for your reply.
>
>
>
>> I have a similar configuration. I think that the problem is in the CN:
>> CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
>>
>>
>> please could you show the value for DirAddress = bacula.example.org
>>
>> in my case:
>>
>> DirAddress = bacula.example.org
>>
>> TLS Enable = yes
>> TLS Require = yes
>> TLS Verify Peer = no
>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt
>> TLS Key = /etc/bacula/certs/key/bacula.key
>>
>>
> This is my director configuration from bacula-dir.conf
>
>
> Director { # define myself
> Name = storage.jokefire.com
> DIRport = 9101 # where we listen for UA connections
> QueryFile = "/etc/bacula/query.sql"
> WorkingDirectory = "/var/spool/bacula"
> PidDirectory = "/var/run"
> Maximum Concurrent Jobs = 1
> Password = "secret" # Console password
> Messages = Daemon
> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> }
>
>
> I hope I got you right in that this was what you needed to know.
>
>
>> Looking at the cert:
>>
>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
>>
>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
>> bacula.example.org
>>
>
> openssl x509 -in /etc/pki/tls/certs/storage.jokefire.com.crt -noout -text
>
> Subject: C=US, ST=XXXXX, L=YYYY, O=ZZZZ LLC, OU=Ops, CN=
> storage.jokefire.com/emailAddress=bluethu...@gmail.com
>
> [root@storage:~] #hostname -f
> storage.jokefire.com
>
>
>
>> The CN must be the sme that DirAddress (I did not use email address for
>> cert sign)
>>
>>
>
> It appears as if the DirAddress and the common name do agree. Might there
> be something else I could have missed?
>
> Thanks
> Tim
>
>
> On Wed, Nov 27, 2013 at 7:50 AM, Iban Cabrillo <cabri...@ifca.unican.es>wrote:
>
>> Hi Tim,
>> I have a similar configuration. I think that the proble is in the CN:
>> CN=storage.jokefire.com/emailAddress=bluethu...@gmail.com
>>
>>
>> please could you show the value for DirAddress = bacula.example.org
>>
>> in my case:
>>
>> DirAddress = bacula.example.org
>>
>> TLS Enable = yes
>> TLS Require = yes
>> TLS Verify Peer = no
>> TLS CA Certificate File = /etc/bacula/certs/ca/signing-ca-1.crt
>> TLS Certificate = /etc/bacula/certs/cert/bacula.crt
>> TLS Key = /etc/bacula/certs/key/bacula.key
>>
>> Looking at the cert:
>>
>> openssl x509 -in /etc/bacula/certs/cert/bacula.crt -noout -text
>>
>> Subject: C=ES, ST=XXXXX, O=YYYY, OU=Computing Department, CN=
>> bacula.example.org
>>
>> The CN must be the sme that DirAddress (I did not use email address for
>> cert sign)
>>
>> Regards, I
>>
>>
>> 2013/11/27 Tim Dunphy <bluethu...@gmail.com>
>>
>>> Hello all,
>>>
>>>
>>> I'm trying to add TLS encryption to my bacula setup.
>>>
>>>
>>>
>>> I've been following this guide which got me almost all of the way there:
>>>
>>>
>>> http://blog.earth-works.com/2013/08/03/configuring-bacula-to-use-tls-to-encrypt-connections/
>>>
>>>
>>> I modified the following sections in my bacula-dir.conf file:
>>>
>>>
>>> Director { # define myself
>>>
>>> Name = storage.jokefire.com
>>>
>>> DIRport = 9101 # where we listen for UA connections
>>>
>>> QueryFile = "/etc/bacula/query.sql"
>>>
>>> WorkingDirectory = "/var/spool/bacula"
>>>
>>> PidDirectory = "/var/run"
>>>
>>> Maximum Concurrent Jobs = 1
>>>
>>> Password = "secret" # Console password
>>>
>>> Messages = Daemon
>>>
>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>
>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>
>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>
>>> TLS Enable = yes
>>>
>>> TLS Require = yes
>>>
>>> TLS Verify Peer = yes
>>>
>>> }
>>>
>>>
>>> Client {
>>>
>>> Name = ops.jokefire.com
>>>
>>> Address = ops.jokefire.com
>>>
>>> FDPort = 9102
>>>
>>> Catalog = JokefireCatalog
>>>
>>> Password = "secret" # password for FileDaemon
>>>
>>> File Retention = 14 days # 14 days
>>>
>>> Job Retention = 14d # 14 days
>>>
>>> AutoPrune = yes # Prune expired Jobs/Files
>>>
>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>
>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>
>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>
>>> TLS Enable = yes
>>>
>>> TLS Require = yes
>>>
>>> }
>>>
>>>
>>>
>>> And in my bacula-fd.conf
>>>
>>>
>>> Director {
>>>
>>> Name = storage.jokefire.com
>>>
>>> Password = "secret"
>>>
>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>
>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>
>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>
>>> TLS Enable = yes
>>>
>>> TLS Require = yes
>>>
>>> }
>>>
>>>
>>> FileDaemon { # this is me
>>>
>>> Name = storage.jokefire.com
>>>
>>> FDport = 9102 # where we listen for the director
>>>
>>> WorkingDirectory = /var/bacula
>>>
>>> Pid Directory = /var/run
>>>
>>> Maximum Concurrent Jobs = 20
>>>
>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>
>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>
>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>
>>> TLS Enable = yes
>>>
>>> TLS Require = yes
>>>
>>> }
>>>
>>>
>>> In bacula-sd.conf:
>>>
>>>
>>> Storage { # definition of myself
>>>
>>> Name = storage.jokefire.com
>>>
>>> SDPort = 9103 # Director's port
>>>
>>> WorkingDirectory = "/var/spool/bacula"
>>>
>>> Pid Directory = "/var/run"
>>>
>>> Maximum Concurrent Jobs = 20
>>>
>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>
>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>
>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>
>>> TLS Enable = yes
>>>
>>> TLS Require = yes
>>>
>>> TLS Verify Peer = yes
>>>
>>> }
>>>
>>>
>>> And finally in bconsole.conf:
>>>
>>>
>>> Director {
>>>
>>> Name = storage.jokefire.com
>>>
>>> DIRport = 9101
>>>
>>> address = storage.jokefire.com
>>>
>>> Password = "secret"
>>>
>>> TLS Certificate = /etc/pki/tls/certs/storage.jokefire.com.crt
>>>
>>> TLS Key = /etc/pki/tls/private/storage.jokefire.com.key
>>>
>>> TLS CA Certificate File = /etc/pki/CA/certs/rootBaculaCA.pem
>>>
>>> TLS Enable = yes
>>>
>>> TLS Require = yes
>>>
>>> }
>>>
>>>
>>> Then I bounced the services so all seems well at this point:
>>>
>>>
>>> [root@storage:/etc/bacula] #bounce-bacula
>>>
>>> Stopping Bacula Storage services: [ OK ]
>>>
>>> Starting Bacula Storage services: [ OK ]
>>>
>>> Stopping Bacula File services: [ OK ]
>>>
>>> Starting Bacula File services: [ OK ]
>>>
>>> Stopping Bacula Director services: [ OK ]
>>>
>>> Starting Bacula Director services: [ OK ]
>>>
>>>
>>> (wrote a script to bounce all services because I'm lazy)
>>>
>>>
>>> But when I go into bconsole I get the following (until I restore from
>>> backup)
>>>
>>>
>>> [root@storage:/etc/bacula] #bconsole
>>>
>>> Connecting to Director storage.jokefire.com:9101
>>>
>>> 26-Nov 22:13 bconsole JobId 0: Error: tls.c:92 Error with certificate at
>>> depth: 0, issuer = /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
>>> storage.jokefire.com/emailAddress=bluethu...@gmail.com, subject =
>>> /C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=
>>> storage.jokefire.com/emailAddress=bluethu...@gmail.com, ERR=18:self
>>> signed certificate
>>>
>>> TLS negotiation failed
>>>
>>> Director authorization problem.
>>>
>>> Most likely the passwords do not agree.
>>>
>>> If you are using TLS, there may have been a certificate validation error
>>> during the TLS handshake.
>>>
>>> Please see
>>> http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00260000000000000000for
>>> help.
>>>
>>>
>>> I've saved my work with TLS so I'm eager to get this going. I used the
>>> following guide to generating the certs, and I'm wondering if the problem
>>> could possibly be in the way I generated the certs?
>>>
>>>
>>>
>>> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
>>>
>>>
>>> Thanks for any and all advice!
>>>
>>>
>>> Tim
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>> your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>> AppDynamics Pro!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Bacula-users mailing list
>>> Bacula-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>
>>>
>>
>>
>> --
>> ####################################
>> Iban Cabrillo Bartolome
>> Instituto de Fisica de Cantabria (IFCA)
>> Santander, Spain
>> Tel: +34942200969
>> ####################################
>> Bertrand Russell:
>> *"El problema con el mundo es que los estúpidos están seguros de todo y
>> los inteligentes están llenos de dudas*"
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
--
####################################
Iban Cabrillo Bartolome
Instituto de Fisica de Cantabria (IFCA)
Santander, Spain
Tel: +34942200969
####################################
Bertrand Russell:
*"El problema con el mundo es que los estúpidos están seguros de todo y los
inteligentes están llenos de dudas*"
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
