Re: [Bacula-users] TLS Between Director and Client

Fri, 06 Jun 2025 10:59:49 -0700 

>>>>> On Thu, 5 Jun 2025 17:01:46 +0100, Richard Laysell said:
> 
> Hello,
> 
> I'm running Bacula 15.0.3 on Linux x64.
> 
> I'm trying to get TLS working between director and client.  I have
> created my own CA and have created cerficates for the director and
> client.  However, the client certificate is always rejected by Bacula
> with either
> 
> ERR=26:unsuitable certificate purpose
> 
> or
> 
> ERR=error:0A000413:SSL routines::sslv3 alert unsupported certificate
> 
> Here is my client configuration for the Director
> Client
> {
>   Name = client1-fd
>   Address = client1.example.com
>   FDPort = 9102
>   Catalog = MyCatalog
>   Password = "mypassword"
>   Maximum Concurrent Jobs = 20
>   File Retention = 12 months
>   Job Retention = 12 months
>   TLS Enable = yes
>   TLS Require = yes
>   TLS Authenticate = yes
>   TLS CA Certificate File = /opt/bacula/ssl/example-ca.crt
>   TLS Certificate = /opt/bacula/ssl/bacdir.example.com.crt
>   TLS Key = /opt/bacula/ssl/bacdir.example.com.key
> }
> 
> Here is my file daemon configuration for the client
> Director {
>   Name = bacdir-dir
>   Password = "mypassword"
>   Address = bacdir.example.com
>   TLS Enable = yes
>   TLS Require = yes
>   TLS Verify Peer = yes
>   TLS Authenticate = yes
>   TLS Allowed CN = client1.example.com
>   TLS CA Certificate File = /etc/ssl/example-ca.crt
>   TLS Certificate = /etc/ssl/client1.example.com.crt
>   TLS Key = /etc/ssl/private/client1.example.com.key
> }
> 
> Does this configuration look correct?  Bacula doesn't complain about
> the configuration so I think it is OK.
> 
> What I don't understand is how to create a working client certificate
> that Bacula will accept.

I might be wrong, but are you getting confused about server v.s. client
because you think the Director is a server and the file daemon is a client?

The documentation says:

"This document will refer to both "server" and "client" contexts.  These terms
refer to the accepting and initiating peer, respectively."

The Director initiates a connection and the file daemon accepts it, so I
suspect the client configuration for the Director needs a client certificate
and the file daemon configuration for the client needs a server certificate.

__Martin


_______________________________________________
Bacula-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to