On Thursday, June 5, 2025 6:01:46 PM CEST Richard Laysell wrote: > Hello,
Hello Richard,
> I'm running Bacula 15.0.3 on Linux x64.
I have tested in on 9.x but it should work on 15.x as well.
> I'm trying to get TLS working between director and client. I have
> created my own CA and have created cerficates for the director and
> client. However, the client certificate is always rejected by Bacula
> with either
I would suggest to create certificates for storage daemon as well.
What is your goal?
Do you want to encrypt only the authentication or would you like
to encrypt the complete communication between Bacula components?
> ERR=26:unsuitable certificate purpose
That means that you are using the certificate with wrong purpose.
For example, you have created server certificate and you are trying
to use it for the purpose where client certificate is expected or
vice versa.
I have attached PDF document containing scheme that could help you
better visualise and understand what needs to be done.
Here is the summary of the certificates and their purposes (server/client)
per Bacula daemons and their resources:
# bacula-dir
director resource - server
storage resource - client (used to connect to director resource of bacula-
sd)
client resource - client (used to connect to director resource of bacula-fd)
# bacula-sd
storage resource - server
director resource - server
# bacula-fd
director resource - server
filedaemon resource - client (used to connect to storage resource of bacula-
sd)
# bconsole
director resource - client (used to connect to director resource of bacula-
dir)
> or
>
> ERR=error:0A000413:SSL routines::sslv3 alert unsupported certificate
>
> Here is my client configuration for the Director
> Client
> {
> Name = client1-fd
> Address = client1.example.com
> FDPort = 9102
> Catalog = MyCatalog
> Password = "mypassword"
> Maximum Concurrent Jobs = 20
> File Retention = 12 months
> Job Retention = 12 months
> TLS Enable = yes
> TLS Require = yes
> TLS Authenticate = yes
> TLS CA Certificate File = /opt/bacula/ssl/example-ca.crt
> TLS Certificate = /opt/bacula/ssl/bacdir.example.com.crt
> TLS Key = /opt/bacula/ssl/bacdir.example.com.key
> }
>
> Here is my file daemon configuration for the client
> Director {
> Name = bacdir-dir
> Password = "mypassword"
> Address = bacdir.example.com
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> TLS Authenticate = yes
> TLS Allowed CN = client1.example.com
> TLS CA Certificate File = /etc/ssl/example-ca.crt
> TLS Certificate = /etc/ssl/client1.example.com.crt
> TLS Key = /etc/ssl/private/client1.example.com.key
> }
>
> Does this configuration look correct? Bacula doesn't complain about
> the configuration so I think it is OK.
Most of it.
I am concerned about the option "TLS Authenticate = yes" you are using.
Documentation states:
"Please notice a very important feature of enabling TLS Authenticate to
your daemons: if you enable the TLS authentication, the TLS encryption
will be turned off and communication between the daemons will be done
without Encryption."
So, make sure that this is what you want.
Here is the link to the documentation section for your Bacula version:
https://www.bacula.org/15.0.x-manuals/en/main/
Bacula_TLS_Communications_E.html
> What I don't understand is how to create a working client certificate
> that Bacula will accept.
I have attached the PDF that could help you understand what is needed.
For example, for bacula-dir, you need three certificates:
- one server certificate for director resource
- one client certificate for storage resource
- one client for client resource
For bacula-sd, you need two certificates:
- one server certificate for storage resource
- one server certificate for director resource
For bacula-fd, you need two certificates (they need to be created
for every single server you want to backup):
- one server certificate for director resource
- one client certificate for filedaemon resource
For bacula console, you need one certificate:
- one client certificate for director resource
Hope this helps.
> I have tried using both easyrsa and ssl-admin to create certificates.
I used openssl when I started to use that feature.
I also used EJBCA.
It doesn't matter what tool was used to create the certificates as
long as they are created using the correct parameters.
> I have followed Dan Langille's advice on this page
> https://dan.langille.org/2019/11/29/ssl-client-vs-server-certificates-and->
> bacula-fd/ But, this does not seem to work any more (using ssl-admin and
> creating a client certificate using option 4 results in
> 'ERR=26:unsuitable certificate purpose')
I didn't try his procedure not the tool he was using but I guess it works
as long the parameters for certificates are set as I described.
> Any advice would be most welcome.
Using this Bacula feature is quite confusing without the scheme I have
attached.
It is very easy to make mistake.
In the past it took me hours to add few servers to backup.
I have automated the procedure using Ansible and now it takes few seconds.
Unfortunately this procedure wouldn't help you because it is customized
for the environment in the company I currently work for.
If you get stuck and will not be able make it work, could find the
manual procedures I used in the past (using openssl).
Regards!
--
Josip Deanovic
bacula_tls_scheme.pdf
Description: Adobe PDF document
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
