Thx for your Quick-reply. But I have a certificat on www.cacert.org ( the certificat its ok, on the old server certificate worked. ) When I use, i have a error message : "Fatal error: TLS required but not configured in Bacula." Bacula requires another package/daemon/... (or just configuration?) to use TLS certificate? openssl is requires just for used TLS certificate by bacula ?
I don't used "./configure (option)", but used "apt-get install" for instal bacula :s doc:"/Appropriate autoconf macros have been added to detect and use OpenSSL if enabled on the ./configure line with --with-openssl/" how to become your own Certificate Authority so you can create your own certificates. That's good to know, thx :) Sébastien Maarten Hoogveld a écrit : > Sorry, accidently pressed the send button before the mail was > completed (Now why didn't I look into that gmail undo-send button > yesterday) > > Hi, > > I have instal bacula with "# apt-get install bacula" in debian linux. > I have my backups that works, but is not securised with TLS... > When used TLS, i have erreor message : > "Fatal error: TLS required but not configured in Bacula." > > How to use TLS ? where configure used TLS with this install ? > > > Hi Sébastien, > > Check out the Bacula documentation on TLS > <http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>. > The example configs are a good start. > Also check out OpenSSL docs on how to become your own Certificate > Authority so you can create your own certificates. > This may take some effort and time if you are unfarmilliar with > certificates. Without the right certificates it will not work. > OpenSSL has some functionality with which you can check the > certificates. You can create some sort of server and try to connect to > it but I don't remember how that works anymore. Google for it. > It's important to start with the simplest solution (e.g. no TLS) and > then gradually add some TLS features. (So don't start with the "TLS > Allowed CN" or something like that. Add that when the plain TLS > connection works.) > Also important to understanding what's going on is to figure out what > connects to what. The part about firewalls > <http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html> in > the Bacula documentation has a small and useful overview of that. For > the TLS connection the "client" is the connecting party and the server > is the party being connected to. Example: When the bacula-dir connects > to the bacula-fd, the bacula-dir is the client and the bacula-fd is > the server. (See comments in the example configs in the Director > resource of the bacula-fd config) > > I have created some scripts to create and sign my own certificates > because I just can't remember the command line options for openssl. > They are used in a Fedora 6 environment so you may have to change some > paths to match your setup. > Before you can use these scripts you need: > - A proper openssl config file > Place the file location in create.sh at the [openssl.cnf] placeholder > - Your self-signed root-certificate and private key > Place them in their placeholders [ca.crt] and [ca.key] in the sign > script > - Check all paths in sign.sh (/etc/pki/CA/ in my installation) and > make sure they match your setup. > (Note: The sign script is not mine, I found it on the internet > somewhere and don't remember who wrote it so I can't give credit.) > > > Of course this doesn't explain TLS fully but I hope this helps a bit. > > > Regards, > Maarten Hoogveld > > > *create.sh* A script to create a new key-pair and a cert-sign-request. > > #!/bin/bash > FILE_BASE=$1 > if [ $# -ne 1 ]; then > echo "Usage: $0 <base-filename>" > echo " Creates a key-pair and csr (Certificate Signing Request)" > echo " File created are <base-filename>.key and <base-filename>.crt." > exit 1 > fi > > if [ -e ${FILE_BASE}.key ]; then > echo "File ${FILE_BASE}.key already exists." > echo "Exiting." > exit 1; > fi > > openssl req -config /[openssl.cnf]/ -new -nodes -keyout > ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730 > > echo "Done." > > > *sign.sh* A script to sign a sign-request > > #!/bin/sh > # argument line handling > CSR=$1 > if [ $# -ne 1 ]; then > echo "Usage: ${0} <whatever>.csr"; exit 1 > fi > if [ ! -f $CSR ]; then > echo "CSR not found: $CSR"; exit 1 > fi > case $CSR in > *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; > * ) CERT="$CSR.crt" ;; > esac > # make sure environment exists > if [ ! -d ca.db.certs ]; then > mkdir ca.db.certs > fi > if [ ! -f ca.db.serial ]; then > echo '01' >ca.db.serial > fi > if [ ! -f ca.db.index ]; then > cp /dev/null ca.db.index > fi > # create an own SSLeay config > cat > ca.config <<EOT > [ ca ] > default_ca = CA_own > [ CA_own ] > dir = /etc/pki/CA > certs = /etc/pki/CA/certs > new_certs_dir = /etc/pki/CA/ca.db.certs > database = /etc/pki/CA/ca.db.index > serial = /etc/pki/CA/ca.db.serial > RANDFILE = /etc/pki/CA/ca.db.rand > certificate = /etc/pki/CA/certs//[ca.crt]/ > private_key = /etc/pki/CA/private//[ca.//key//]/ > default_days = 730 > default_crl_days = 30 > default_md = md5 > preserve = no > policy = policy_anything > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > EOT > # sign the certificate > echo "CA signing: $CSR -> $CERT:" > openssl ca -config ca.config -out $CERT -infiles $CSR > echo "CA verifying: $CERT <-> CA cert" > openssl verify -CAfile /etc/pki/CA/certs//[ca.crt]/ $CERT > # cleanup after SSLeay > /bin/rm -f ca.config > /bin/rm -f ca.db.serial.old > /bin/rm -f ca.db.index.old > # die gracefully > exit 0 > > > *export.sh* A script to tidy up the files and put them into separate > folders for archival > > #!/bin/bash > FILE_BASE=$1 > if [ $# -ne 1 ]; then > echo "Usage: $0 <base-filename>" > echo " If <base-filename>.key and <base-filename>.crt exist:" > echo " <base-filename>.key will be moved to ./export/private" > echo " <base-filename>.crt will be moved to ./export/certs" > echo " <base-filename>.csr will be deleted if it exists" > exit 1 > fi > > if [ ! -e ${FILE_BASE}.key ]; then > echo "File ${FILE_BASE}.key does not exist!" > exit 1; > fi > > if [ ! -e ${FILE_BASE}.crt ]; then > echo "File ${FILE_BASE}.crt does not exist!" > exit 1; > fi > > if [ ! -d export/certs ]; then > echo "Destination ./export/certs does not exist. Please create this > directory and try again." > exit 1; > fi > if [ ! -d export/private ]; then > echo "Destination ./export/private does not exist. Please create > this directory and try again." > exit 1; > fi > > mv ${FILE_BASE}.key export/private > chmod 0400 export/private/${FILE_BASE}.key > > mv ${FILE_BASE}.crt export/certs > > if [ -e ${FILE_BASE}.csr ]; then > rm ${FILE_BASE}.csr > fi > > echo "Done." > > > ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
