Hello,
I'm running Bacula 15.0.3 on Linux x64.
I'm trying to get TLS working between director and client. I have
created my own CA and have created cerficates for the director and
client. However, the client certificate is always rejected by Bacula
with either
ERR=26:unsuitable certificate purpose
or
ERR=error:0A000413:SSL routines::sslv3 alert unsupported certificate
Here is my client configuration for the Director
Client
{
Name = client1-fd
Address = client1.example.com
FDPort = 9102
Catalog = MyCatalog
Password = "mypassword"
Maximum Concurrent Jobs = 20
File Retention = 12 months
Job Retention = 12 months
TLS Enable = yes
TLS Require = yes
TLS Authenticate = yes
TLS CA Certificate File = /opt/bacula/ssl/example-ca.crt
TLS Certificate = /opt/bacula/ssl/bacdir.example.com.crt
TLS Key = /opt/bacula/ssl/bacdir.example.com.key
}
Here is my file daemon configuration for the client
Director {
Name = bacdir-dir
Password = "mypassword"
Address = bacdir.example.com
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Authenticate = yes
TLS Allowed CN = client1.example.com
TLS CA Certificate File = /etc/ssl/example-ca.crt
TLS Certificate = /etc/ssl/client1.example.com.crt
TLS Key = /etc/ssl/private/client1.example.com.key
}
Does this configuration look correct? Bacula doesn't complain about
the configuration so I think it is OK.
What I don't understand is how to create a working client certificate
that Bacula will accept.
I have tried using both easyrsa and ssl-admin to create certificates.
I have followed Dan Langille's advice on this page
https://dan.langille.org/2019/11/29/ssl-client-vs-server-certificates-and-bacula-fd/
But, this does not seem to work any more (using ssl-admin and creating
a client certificate using option 4 results in 'ERR=26:unsuitable
certificate purpose')
Any advice would be most welcome.
Regards,
Richard
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
