On Mon, 11 Sept 2023 at 20:19, Dan Langille <d...@langille.org> wrote:
> > Yes, I think it's SSL erroring out, I agree with your theory. > > Which means: what Key Usage needs to be included for each of: > > * bacula-fd > * bacula-sd > * bacula-dir > > Thank you for sharing your details. Is this cert used with bacula-sd or > bacula-fd? > That was a certificate from bacula-fd. bacula-sd certificate has the same extensions (Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment). Its CN matches the value of SDAddress in the `Storage` section of bacula-sd.conf file. For completeness, the TLS related entries in that file are: TLS Enable = yes TLS Require = no TLS Verify Peer = yes TLS CA Certificate = <path to CA cert> TLS Certificate = <path to the sd certificate> TLS Key = <path to the key file> > I ask because yesterday I started running some copy jobs. The cert used by > bacula-sd was acceptable for receiving backups. It was not acceptable for > copy jobs. > > 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect > failure: ERR=error:1417C086:SSL > routines:tls_process_client_certificate:certificate verify failed > 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS > Negotiation failed. > 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation > failed with FD at "10.55.0.7:27230" > 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect > authorization key from File daemon at client rejected. > For help, please see: > http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html > 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to > authenticate File daemon > I wonder if your SD connects to itself here, and fails to validate itself? The log above does mention an FD at 10.55.0.7. Does that FD component have a certificate? maybe there's mis-match with the CN of that certificate and the FDAddress directive in the bacula-fd.conf file? Misha
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
