Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"

Sat, 30 Jan 2021 11:20:04 -0800 


On 1/23/21 5:46 PM, Dan Langille wrote:
> On Tue, Nov 10, 2020, at 2:11 PM, David Newman wrote:
>> Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs
>> Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs
>>
>> After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly
>> backups run successfully but throw this warning:
>>
>> ERR=20:"unable to get local issuer certificate"
>>
>> This setup uses self-signed certificates and worked without errors or
>> warnings before this OS upgrade.
>>
>> There has been no bacula configuration change on either the client or
>> director . A diff of the client bacula-fd.conf file (excerpted below)
>> before and after the upgrade shows no change.
>>
>> I tried revoking the old client cert and generating a new one, but this
>> had no effect on the warning message.
>>
>> I also tried command-line "openssl s_client -connect" commands both
>> ways. Both connections worked on the respective ports 9101 and 9102.
>>
>> Besides the bacula client configuration -- which hasn't changed, aside
>> from pointing to new certs with the same filenames -- is there something
>> else that needs tweaking on the client?
>>
>> Many thanks.
>>
>> dn
>>
>> -----
>>
>> client bacula-fd.conf
>>
>> Director {
>>   Name = nye-dir
>>  ..
>>
>>   TLS Require = yes
>>   TLS Enable = yes
>>   TLS Verify Peer = yes
>>
>>  # Allow only the Director to connect
>>   TLS Allowed CN = "backups.example.com"
>>   TLS CA Certificate File = /etc/bacula/cacert.pem
>>   TLS Certificate = /etc/bacula/client.pem
>>   TLS Key = /etc/bacula/client.key
>>
>> }
>>
>> ..
>>
>> FileDaemon {
>>   Name = client-fd
>>   FDport = 9102                  # where we listen for the director
>>   WorkingDirectory = /var/db/bacula
>>   Pid Directory = /var/run
>>   Maximum Concurrent Jobs = 20
>>
>>   TLS Require = yes
>>   TLS Enable = yes
>>
>>   TLS CA Certificate File = /etc/bacula/cacert.pem
>>   TLS Certificate = /etc/bacula/client.pem
>>   TLS Key = /etc/bacula/client.key
>>
>> }
> 
> Did you solve this one?

Sort of. The root cause is in OpenBSD 6.8's LibreSSL implementation. The
developers report it's fixed in -current but this is on a production
system, and I can wait for 6.9.

dn



_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users






















					Reply via email to