Hi, 24.04.2009 09:12, Sébastien Weber wrote: > > What to do for have libssl.so?
Well, you either need to install Bacula from a different repository, where they have a version configured with SSL, or you compile from source yourself and include the SSL stuff yourself. In the latter case, the output of './configure --help' tells you about all the possible options, and you'll probably need openssl-devel installed (and many other development packages, too). Arno > Sébastien > > Sébastien Weber a écrit : >> ok >> >> # ldd bacula-dir >> linux-vdso.so.1 => (0x00007fff79dff000) >> libpython2.5.so.1.0 => /usr/lib/libpython2.5.so.1.0 >> (0x00007f1a7174f000) >> libutil.so.1 => /lib/libutil.so.1 (0x00007f1a7154c000) >> librt.so.1 => /lib/librt.so.1 (0x00007f1a71343000) >> libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x00007f1a710cd000) >> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f1a70eb1000) >> libdl.so.2 => /lib/libdl.so.2 (0x00007f1a70cad000) >> libwrap.so.0 => /lib/libwrap.so.0 (0x00007f1a70aa4000) >> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f1a70798000) >> libm.so.6 => /lib/libm.so.6 (0x00007f1a70515000) >> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f1a702fe000) >> libc.so.6 => /lib/libc.so.6 (0x00007f1a6ffab000) >> /lib64/ld-linux-x86-64.so.2 (0x00007f1a71ac4000) >> libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1a6fd93000) >> >> I don't have libssl.so >< >> >> Sébastien >> >> Arno Lehmann a écrit : >> >>> Hi, >>> >>> 22.04.2009 15:26, Sébastien Weber wrote: >>> >>>> Thx for your Quick-reply. >>>> But I have a certificat on www.cacert.org ( the certificat its ok, >>>> on the old server certificate worked. ) >>>> When I use, i have a error message : "Fatal error: TLS required but >>>> not configured in Bacula." >>>> Bacula requires another package/daemon/... (or just configuration?) >>>> to use TLS certificate? >>>> openssl is requires just for used TLS certificate by bacula ? >>>> >>> You probably run a version of Bacula without openssl support (iirc, >>> due to license incomaptibilities, some distros don't include ssl >>> support in Bacula). >>> >>> You can verify this by running 'ldd /path/to/bacula-dir'. If you see >>> a reference to libssl, it's a configuration issue. If you don't see >>> that reference, you'll have to use another repository to install, or >>> compile yourself. >>> >>> Here, for example, on a test system I see >>> >>> bac...@gnom:/usr/local/demo-bacula> ldd sbin/bacula-dir | grep ssl >>> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7c5e000) >>> >>> Arno >>> >>> >>>> I don't used "./configure (option)", but used "apt-get install" for >>>> instal bacula :s >>>> doc:"/Appropriate autoconf macros have been added to detect and use >>>> OpenSSL if enabled on the ./configure line with --with-openssl/" >>>> >>>> >>>> how to become your own Certificate Authority so you can create your >>>> own certificates. >>>> That's good to know, thx :) >>>> >>>> >>>> Sébastien >>>> >>>> Maarten Hoogveld a écrit : >>>> >>>>> Sorry, accidently pressed the send button before the mail was >>>>> completed (Now why didn't I look into that gmail undo-send button >>>>> yesterday) >>>>> >>>>> Hi, >>>>> >>>>> I have instal bacula with "# apt-get install bacula" in debian >>>>> linux. >>>>> I have my backups that works, but is not securised with TLS... >>>>> When used TLS, i have erreor message : >>>>> "Fatal error: TLS required but not configured in Bacula." >>>>> >>>>> How to use TLS ? where configure used TLS with this install ? >>>>> >>>>> >>>>> Hi Sébastien, >>>>> >>>>> Check out the Bacula documentation on TLS >>>>> <http://www.bacula.org/en/dev-manual/Bacula_TLS_Communication.html>. >>>>> The example configs are a good start. >>>>> Also check out OpenSSL docs on how to become your own Certificate >>>>> Authority so you can create your own certificates. >>>>> This may take some effort and time if you are unfarmilliar with >>>>> certificates. Without the right certificates it will not work. >>>>> OpenSSL has some functionality with which you can check the >>>>> certificates. You can create some sort of server and try to connect >>>>> to it but I don't remember how that works anymore. Google for it. >>>>> It's important to start with the simplest solution (e.g. no TLS) >>>>> and then gradually add some TLS features. (So don't start with the >>>>> "TLS Allowed CN" or something like that. Add that when the plain >>>>> TLS connection works.) >>>>> Also important to understanding what's going on is to figure out >>>>> what connects to what. The part about firewalls >>>>> <http://www.bacula.org/en/rel-manual/Dealing_with_Firewalls.html> >>>>> in the Bacula documentation has a small and useful overview of >>>>> that. For the TLS connection the "client" is the connecting party >>>>> and the server is the party being connected to. Example: When the >>>>> bacula-dir connects to the bacula-fd, the bacula-dir is the client >>>>> and the bacula-fd is the server. (See comments in the example >>>>> configs in the Director resource of the bacula-fd config) >>>>> >>>>> I have created some scripts to create and sign my own certificates >>>>> because I just can't remember the command line options for openssl. >>>>> They are used in a Fedora 6 environment so you may have to change >>>>> some paths to match your setup. >>>>> Before you can use these scripts you need: >>>>> - A proper openssl config file >>>>> Place the file location in create.sh at the [openssl.cnf] placeholder >>>>> - Your self-signed root-certificate and private key >>>>> Place them in their placeholders [ca.crt] and [ca.key] in the >>>>> sign script >>>>> - Check all paths in sign.sh (/etc/pki/CA/ in my installation) and >>>>> make sure they match your setup. >>>>> (Note: The sign script is not mine, I found it on the internet >>>>> somewhere and don't remember who wrote it so I can't give credit.) >>>>> >>>>> >>>>> Of course this doesn't explain TLS fully but I hope this helps a bit. >>>>> >>>>> >>>>> Regards, >>>>> Maarten Hoogveld >>>>> >>>>> >>>>> *create.sh* A script to create a new key-pair and a cert-sign-request. >>>>> >>>>> #!/bin/bash >>>>> FILE_BASE=$1 >>>>> if [ $# -ne 1 ]; then >>>>> echo "Usage: $0 <base-filename>" >>>>> echo " Creates a key-pair and csr (Certificate Signing Request)" >>>>> echo " File created are <base-filename>.key and >>>>> <base-filename>.crt." >>>>> exit 1 >>>>> fi >>>>> >>>>> if [ -e ${FILE_BASE}.key ]; then >>>>> echo "File ${FILE_BASE}.key already exists." >>>>> echo "Exiting." >>>>> exit 1; >>>>> fi >>>>> >>>>> openssl req -config /[openssl.cnf]/ -new -nodes -keyout >>>>> ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730 >>>>> >>>>> echo "Done." >>>>> >>>>> >>>>> *sign.sh* A script to sign a sign-request >>>>> >>>>> #!/bin/sh >>>>> # argument line handling >>>>> CSR=$1 >>>>> if [ $# -ne 1 ]; then >>>>> echo "Usage: ${0} <whatever>.csr"; exit 1 >>>>> fi >>>>> if [ ! -f $CSR ]; then >>>>> echo "CSR not found: $CSR"; exit 1 >>>>> fi >>>>> case $CSR in >>>>> *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; >>>>> * ) CERT="$CSR.crt" ;; >>>>> esac >>>>> # make sure environment exists >>>>> if [ ! -d ca.db.certs ]; then >>>>> mkdir ca.db.certs >>>>> fi >>>>> if [ ! -f ca.db.serial ]; then >>>>> echo '01' >ca.db.serial >>>>> fi >>>>> if [ ! -f ca.db.index ]; then >>>>> cp /dev/null ca.db.index >>>>> fi >>>>> # create an own SSLeay config >>>>> cat > ca.config <<EOT >>>>> [ ca ] >>>>> default_ca = CA_own >>>>> [ CA_own ] >>>>> dir = /etc/pki/CA >>>>> certs = /etc/pki/CA/certs >>>>> new_certs_dir = /etc/pki/CA/ca.db.certs >>>>> database = /etc/pki/CA/ca.db.index >>>>> serial = /etc/pki/CA/ca.db.serial >>>>> RANDFILE = /etc/pki/CA/ca.db.rand >>>>> certificate = /etc/pki/CA/certs//[ca.crt]/ >>>>> private_key = /etc/pki/CA/private//[ca.//key//]/ >>>>> default_days = 730 >>>>> default_crl_days = 30 >>>>> default_md = md5 >>>>> preserve = no >>>>> policy = policy_anything >>>>> [ policy_anything ] >>>>> countryName = optional >>>>> stateOrProvinceName = optional >>>>> localityName = optional >>>>> organizationName = optional >>>>> organizationalUnitName = optional >>>>> commonName = supplied >>>>> emailAddress = optional >>>>> EOT >>>>> # sign the certificate >>>>> echo "CA signing: $CSR -> $CERT:" >>>>> openssl ca -config ca.config -out $CERT -infiles $CSR >>>>> echo "CA verifying: $CERT <-> CA cert" >>>>> openssl verify -CAfile /etc/pki/CA/certs//[ca.crt]/ $CERT >>>>> # cleanup after SSLeay >>>>> /bin/rm -f ca.config >>>>> /bin/rm -f ca.db.serial.old >>>>> /bin/rm -f ca.db.index.old >>>>> # die gracefully >>>>> exit 0 >>>>> >>>>> >>>>> *export.sh* A script to tidy up the files and put them into >>>>> separate folders for archival >>>>> >>>>> #!/bin/bash >>>>> FILE_BASE=$1 >>>>> if [ $# -ne 1 ]; then >>>>> echo "Usage: $0 <base-filename>" >>>>> echo " If <base-filename>.key and <base-filename>.crt exist:" >>>>> echo " <base-filename>.key will be moved to ./export/private" >>>>> echo " <base-filename>.crt will be moved to ./export/certs" >>>>> echo " <base-filename>.csr will be deleted if it exists" >>>>> exit 1 >>>>> fi >>>>> >>>>> if [ ! -e ${FILE_BASE}.key ]; then >>>>> echo "File ${FILE_BASE}.key does not exist!" >>>>> exit 1; >>>>> fi >>>>> >>>>> if [ ! -e ${FILE_BASE}.crt ]; then >>>>> echo "File ${FILE_BASE}.crt does not exist!" >>>>> exit 1; >>>>> fi >>>>> >>>>> if [ ! -d export/certs ]; then >>>>> echo "Destination ./export/certs does not exist. Please create >>>>> this directory and try again." >>>>> exit 1; >>>>> fi >>>>> if [ ! -d export/private ]; then >>>>> echo "Destination ./export/private does not exist. Please create >>>>> this directory and try again." >>>>> exit 1; >>>>> fi >>>>> >>>>> mv ${FILE_BASE}.key export/private >>>>> chmod 0400 export/private/${FILE_BASE}.key >>>>> >>>>> mv ${FILE_BASE}.crt export/certs >>>>> >>>>> if [ -e ${FILE_BASE}.csr ]; then >>>>> rm ${FILE_BASE}.csr >>>>> fi >>>>> >>>>> echo "Done." >>>>> >>>>> >>>>> >>>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> >>>> Stay on top of everything new and different, both inside and around >>>> Java (TM) technology - register by April 22, and save >>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. >>>> 300 plus technical and hands-on sessions. Register today. Use >>>> priority code J9JMT32. http://p.sf.net/sfu/p >>>> _______________________________________________ >>>> Bacula-users mailing list >>>> Bacula-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/bacula-users >>>> >>> >> >> ------------------------------------------------------------------------------ >> >> >> Stay on top of everything new and different, both inside and around >> Java (TM) technology - register by April 22, and save >> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. >> 300 plus technical and hands-on sessions. Register today. Use priority >> code J9JMT32. http://p.sf.net/sfu/p >> _______________________________________________ >> Bacula-users mailing list >> Bacula-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bacula-users >> > -- Arno Lehmann IT-Service Lehmann Sandstr. 6, 49080 Osnabrück www.its-lehmann.de ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
