> On Sep 11, 2023, at 12:14 PM, Vanush Misha Paturyan <ekt...@gmail.com> wrote: > > Hello Dan, > > On Sat, 9 Sept 2023 at 12:39, Dan Langille <d...@langille.org > <mailto:d...@langille.org>> wrote: >> Hello, >> >> Is anyone using self-signed certificates using X509v3 extensions? >> >> To be clear: I am not trying to make use of X509v3 extensions for any >> particular purpose - A recent upgrade to the tool I am using recently >> started X509v3 extensions >> > > Our system works with sellf-signed certificates with X509v3 extensions. > here's what the extensions look like on our setup: > > X509v3 extensions: > X509v3 Subject Key Identifier: > 5E:67:4E:42:8B:F3:3B:8E:F4:C4:BE:B9:29:B3:5E:41:DC:DE:12:81 > X509v3 Authority Key Identifier: > > keyid:88:38:87:5E:B1:E0:FF:59:98:BB:0F:2F:8B:55:F5:E0:85:E1:82:9D > DirName:/C=IE/ST=Co Kildare/L=Maynooth/O=Maynooth > University/OU=Computer Science Department/CN=CS Dept Internal > CA/emailAddress=supp...@cs.nuim.ie <mailto:supp...@cs.nuim.ie> > serial:CC:A9:72:5F:96:CF:3B:53 > > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment, Data > Encipherment > X509v3 CRL Distribution Points: > > Full Name: > URI:http://www.cs.nuim.ie/nuimcs.crl > > Comparing to your example, I don't have the "Extended Key Usage" part, and I > don't remember why is there Subject Key Identifier and Authority Key > Identifier extensions: something wasn't working without them, but I can't > find my notes from when I was setting up our internal "CA", so have no idea > if it was related to Bacula or not. > > But I have a feeling it is not bacula that is failing: this > "ERR=error:1416F086:SSL routines:tls_process_server_certificate:certificate > verify failed" feels like it is coming from the SSL library? >
Yes, I think it's SSL erroring out, I agree with your theory. Which means: what Key Usage needs to be included for each of: * bacula-fd * bacula-sd * bacula-dir Thank you for sharing your details. Is this cert used with bacula-sd or bacula-fd? I ask because yesterday I started running some copy jobs. The cert used by bacula-sd was acceptable for receiving backups. It was not acceptable for copy jobs. 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect failure: ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS Negotiation failed. 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation failed with FD at "10.55.0.7:27230" 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect authorization key from File daemon at client rejected. For help, please see: http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to authenticate File daemon I've been using 10.55.0.7 (bacula-sd-04.int.unixathome.org) – for backups for some time. This was the first copy job. * it is not the password - I changed it, got a different error * I change the cert to the type used on a bacula-sd (ie. client cert), that worked fine I'm sure I need to change the extensions I am using. — Dan Langille http://langille <http://langille/>.org/
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
