>>>>> On Thu, 5 Jun 2025 17:01:46 +0100, Richard Laysell said:
>
> Hello,
>
> I'm running Bacula 15.0.3 on Linux x64.
>
> I'm trying to get TLS working between director and client. I have
> created my own CA and have created cerficates for the director and
> client. However, the client certificate is always rejected by Bacula
> with either
>
> ERR=26:unsuitable certificate purpose
>
> or
>
> ERR=error:0A000413:SSL routines::sslv3 alert unsupported certificate
>
> Here is my client configuration for the Director
> Client
> {
> Name = client1-fd
> Address = client1.example.com
> FDPort = 9102
> Catalog = MyCatalog
> Password = "mypassword"
> Maximum Concurrent Jobs = 20
> File Retention = 12 months
> Job Retention = 12 months
> TLS Enable = yes
> TLS Require = yes
> TLS Authenticate = yes
> TLS CA Certificate File = /opt/bacula/ssl/example-ca.crt
> TLS Certificate = /opt/bacula/ssl/bacdir.example.com.crt
> TLS Key = /opt/bacula/ssl/bacdir.example.com.key
> }
>
> Here is my file daemon configuration for the client
> Director {
> Name = bacdir-dir
> Password = "mypassword"
> Address = bacdir.example.com
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> TLS Authenticate = yes
> TLS Allowed CN = client1.example.com
> TLS CA Certificate File = /etc/ssl/example-ca.crt
> TLS Certificate = /etc/ssl/client1.example.com.crt
> TLS Key = /etc/ssl/private/client1.example.com.key
> }
>
> Does this configuration look correct? Bacula doesn't complain about
> the configuration so I think it is OK.
>
> What I don't understand is how to create a working client certificate
> that Bacula will accept.
I might be wrong, but are you getting confused about server v.s. client
because you think the Director is a server and the file daemon is a client?
The documentation says:
"This document will refer to both "server" and "client" contexts. These terms
refer to the accepting and initiating peer, respectively."
The Director initiates a connection and the file daemon accepts it, so I
suspect the client configuration for the Director needs a client certificate
and the file daemon configuration for the client needs a server certificate.
__Martin
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
