On Friday, June 6, 2025 5:27:05 PM CEST Richard Laysell wrote: > On Fri, 06 Jun 2025 02:14:57 +0200 > Josip Deanovic via Bacula-users <bacula-users@lists.sourceforge.net> > wrote: > > What is your goal? > > Do you want to encrypt only the authentication or would you like > > to encrypt the complete communication between Bacula components? > > The complete communication
Ok. In that case you have to remove the "TLS authentication" option but I can see that you are now aware of this. > > That means that you are using the certificate with wrong purpose. > > For example, you have created server certificate and you are trying > > to use it for the purpose where client certificate is expected or > > vice versa. > This is the problem. I AM creating a client certificate for the client > and a server certificate for the server, but Bacula refuses to accept > the client certificate. Are you using the correct CA certificate in the file specified by the "TLS CA Certificate File" option? In my case, I am using Root CA and the Intermediate Backup CA. It is not necessary to have dedicated intermediate CA but if you do, both CA certificates should be added to the CA Certificate File. > I can see it is a client certificate by running the following command > and getting the following output. I just looked into your original message where you have pasted part of the bacula-dir and bacula-fd configurations. In the bacula-dir configuration for the Client resource, you have used the line "TLS Certificate = /opt/bacula/ssl/bacdir.example.com.crt". This one should have purpose of Client certificate (this is a client certificate). Then, in the bacula-fd configuration for the Director resource, you have used the line "TLS Certificate = /etc/ssl/client1.example.com.crt". This one should have purpose of Server certificate (this is a server certificate). Can you confirm that you correctly used those certificates? I am asking because the name of the file looks like it might be a client certificate. It is easy to get confused. I am using this naming scheme to avoid confusion: # Bacula director dir-director-server_bkpsrv.bkp.yourdomain.internal.crt dir-director-server_bkpsrv.bkp.yourdomain.internal.csr dir-director-server_bkpsrv.bkp.yourdomain.internal_dh.key dir-director-server_bkpsrv.bkp.yourdomain.internal.key dir-client-client_bkpsrv.bkp.yourdomain.internal.crt dir-client-client_bkpsrv.bkp.yourdomain.internal.csr dir-client-client_bkpsrv.bkp.yourdomain.internal.key dir-storage-client_bkpsrv.bkp.yourdomain.internal.crt dir-storage-client_bkpsrv.bkp.yourdomain.internal.csr dir-storage-client_bkpsrv.bkp.yourdomain.internal.key # Bacula storage daemon sd-director-server_bkpsrv.bkp.yourdomain.internal.crt sd-director-server_bkpsrv.bkp.yourdomain.internal.csr sd-director-server_bkpsrv.bkp.yourdomain.internal_dh.key sd-director-server_bkpsrv.bkp.yourdomain.internal.key sd-storage-server_bkpsrv.bkp.yourdomain.internal.crt sd-storage-server_bkpsrv.bkp.yourdomain.internal.csr sd-storage-server_bkpsrv.bkp.yourdomain.internal_dh.key sd-storage-server_bkpsrv.bkp.yourdomain.internal # Bacula file daemon for backup server named bkpsrv fd-director-server_bkpsrv.bkp.yourdomain.internal.crt fd-director-server_bkpsrv.bkp.yourdomain.internal.csr fd-director-server_bkpsrv.bkp.yourdomain.internal_dh.key fd-director-server_bkpsrv.bkp.yourdomain.internal.key fd-filedaemon-client_bkpsrv.bkp.yourdomain.internal.crt fd-filedaemon-client_bkpsrv.bkp.yourdomain.internal.csr fd-filedaemon-client_bkpsrv.bkp.yourdomain.internal.key # Bacula file daemon for some other server named othersrv fd-director-server_othersrv.bkp.yourdomain.internal.crt fd-director-server_othersrv.bkp.yourdomain.internal.csr fd-director-server_othersrv.bkp.yourdomain.internal_dh.key fd-director-server_othersrv.bkp.yourdomain.internal.key fd-filedaemon-client_othersrv.bkp.yourdomain.internal.crt fd-filedaemon-client_othersrv.bkp.yourdomain.internal.csr fd-filedaemon-client_othersrv.bkp.yourdomain.internal.key # Bacula console bconsole-director-client_bkpsrv.bkp.yourdomain.internal.crt bconsole-director-client_bkpsrv.bkp.yourdomain.internal.csr bconsole-director-client_bkpsrv.bkp.yourdomain.internal.key > $ openssl x509 -in client1.example.com.crt -purpose -noout > Certificate purposes: > SSL client : Yes > SSL client CA : No > SSL server : No > SSL server CA : No > Netscape SSL server : No > Netscape SSL server CA : No > S/MIME signing : No > S/MIME signing CA : No > S/MIME encryption : No > S/MIME encryption CA : No > CRL signing : No > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes > OCSP helper : Yes > OCSP helper CA : No > Time Stamp signing : No > Time Stamp signing CA : No Ah, that's the problem. If you look into my PDF file I have attached in my previous message, you will see that in the Bacula file daemon configuration, the Director resource should use server certificate while the Filedaemon resource should use client certificate. In the Bacula director configuration, the Client resource should use server certificate. Please, look at the PDF document from my last post. It should clarify things. > Still, Bacula does not accept this certificate and says: > ERR=26:unsuitable certificate purpose It would seem that Bacula was right. :-) > So there is something else wrong with this certificate - but I don't > understand what. Do I need to add other purposes (S/MIME signing etc) > or to remove other purposes? There are so many options and I have No, but I don't think it would create an issue. > tried working through them and in doing so have generated about 30 > different certificates but I have not managed to find one that will > work. It would be good if this was documented somewhere - a clear > description of the purposes which are required or forbidden. I know it's frustrating but the failure is not an option. :-) You are close. You have the correct configuration and you can check the configuration for other daemons and resources in the PDF document I have attached in my previous post. The only problem seems to be the wrong type of certificate you are using. When I say wrong type, I mean server vs client purpose of the certificate. > > If you get stuck and will not be able make it work, could find the > > manual procedures I used in the past (using openssl). > Yes, please let me know how you were creating the certificates using > openssl. I have tried creating a CSR using openssl and then signing > that using easyrsa or ssl-admin but had the same problems. Now that we have detected the source of the problem, do you still need this openssl procedure? I am asking because it would take some for me to compile the list of commands and I would like to avoid it but if you need it, I'll do it. > If you have an existing client certificate which works, please could > you run the following command to see which purposes it has and does not > have. > $ openssl x509 -in <path to cert> -purpose -noout Sure. Here is the output for the certificate used in the bacula-dir configuration for the Client resource: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No This is the output for the certificate used in the bacula-fd configuration for the Director resource: Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No I hope this helps. Regards! -- Josip Deanovic _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
