Thanks to everyone who replied to my emails.
The problem was that I had not read the instructions correctly and assumed I knew what needed to be done. Thanks particularly to Josip for his detailed explanation of the required configuration. I have now correctly configured the certificates and have all of the TLS connections working correctly Console -> Director Director -> Clients Clients -> Storage Director -> Storage Regards, Richard On Sat, 07 Jun 2025 00:29:56 +0200 Josip Deanovic <djosip+n...@linuxpages.net> wrote: > On Friday, June 6, 2025 5:27:05 PM CEST Richard Laysell wrote: > > On Fri, 06 Jun 2025 02:14:57 +0200 > > Josip Deanovic via Bacula-users <bacula-users@lists.sourceforge.net> > > wrote: > > > What is your goal? > > > Do you want to encrypt only the authentication or would you like > > > to encrypt the complete communication between Bacula components? > > > > The complete communication > > Ok. In that case you have to remove the "TLS authentication" option > but I can see that you are now aware of this. > > > > That means that you are using the certificate with wrong purpose. > > > For example, you have created server certificate and you are > > > trying to use it for the purpose where client certificate is > > > expected or vice versa. > > > This is the problem. I AM creating a client certificate for the > > client and a server certificate for the server, but Bacula refuses > > to accept the client certificate. > > Are you using the correct CA certificate in the file specified by the > "TLS CA Certificate File" option? > > In my case, I am using Root CA and the Intermediate Backup CA. > It is not necessary to have dedicated intermediate CA but if you do, > both CA certificates should be added to the CA Certificate File. > > > I can see it is a client certificate by running the following > > command and getting the following output. > > I just looked into your original message where you have pasted part > of the bacula-dir and bacula-fd configurations. > > In the bacula-dir configuration for the Client resource, you have > used the line "TLS Certificate = > /opt/bacula/ssl/bacdir.example.com.crt". > > This one should have purpose of Client certificate (this is a client > certificate). > > Then, in the bacula-fd configuration for the Director resource, you > have used the line "TLS Certificate = > /etc/ssl/client1.example.com.crt". > > This one should have purpose of Server certificate (this is a server > certificate). > > Can you confirm that you correctly used those certificates? > I am asking because the name of the file looks like it might be a > client certificate. > > It is easy to get confused. I am using this naming scheme to avoid > confusion: > > # Bacula director > dir-director-server_bkpsrv.bkp.yourdomain.internal.crt > dir-director-server_bkpsrv.bkp.yourdomain.internal.csr > dir-director-server_bkpsrv.bkp.yourdomain.internal_dh.key > dir-director-server_bkpsrv.bkp.yourdomain.internal.key > > dir-client-client_bkpsrv.bkp.yourdomain.internal.crt > dir-client-client_bkpsrv.bkp.yourdomain.internal.csr > dir-client-client_bkpsrv.bkp.yourdomain.internal.key > > dir-storage-client_bkpsrv.bkp.yourdomain.internal.crt > dir-storage-client_bkpsrv.bkp.yourdomain.internal.csr > dir-storage-client_bkpsrv.bkp.yourdomain.internal.key > > > # Bacula storage daemon > sd-director-server_bkpsrv.bkp.yourdomain.internal.crt > sd-director-server_bkpsrv.bkp.yourdomain.internal.csr > sd-director-server_bkpsrv.bkp.yourdomain.internal_dh.key > sd-director-server_bkpsrv.bkp.yourdomain.internal.key > > sd-storage-server_bkpsrv.bkp.yourdomain.internal.crt > sd-storage-server_bkpsrv.bkp.yourdomain.internal.csr > sd-storage-server_bkpsrv.bkp.yourdomain.internal_dh.key > sd-storage-server_bkpsrv.bkp.yourdomain.internal > > > # Bacula file daemon for backup server named bkpsrv > fd-director-server_bkpsrv.bkp.yourdomain.internal.crt > fd-director-server_bkpsrv.bkp.yourdomain.internal.csr > fd-director-server_bkpsrv.bkp.yourdomain.internal_dh.key > fd-director-server_bkpsrv.bkp.yourdomain.internal.key > > fd-filedaemon-client_bkpsrv.bkp.yourdomain.internal.crt > fd-filedaemon-client_bkpsrv.bkp.yourdomain.internal.csr > fd-filedaemon-client_bkpsrv.bkp.yourdomain.internal.key > > > # Bacula file daemon for some other server named othersrv > fd-director-server_othersrv.bkp.yourdomain.internal.crt > fd-director-server_othersrv.bkp.yourdomain.internal.csr > fd-director-server_othersrv.bkp.yourdomain.internal_dh.key > fd-director-server_othersrv.bkp.yourdomain.internal.key > > fd-filedaemon-client_othersrv.bkp.yourdomain.internal.crt > fd-filedaemon-client_othersrv.bkp.yourdomain.internal.csr > fd-filedaemon-client_othersrv.bkp.yourdomain.internal.key > > > # Bacula console > bconsole-director-client_bkpsrv.bkp.yourdomain.internal.crt > bconsole-director-client_bkpsrv.bkp.yourdomain.internal.csr > bconsole-director-client_bkpsrv.bkp.yourdomain.internal.key > > > > $ openssl x509 -in client1.example.com.crt -purpose -noout > > Certificate purposes: > > SSL client : Yes > > SSL client CA : No > > SSL server : No > > SSL server CA : No > > Netscape SSL server : No > > Netscape SSL server CA : No > > S/MIME signing : No > > S/MIME signing CA : No > > S/MIME encryption : No > > S/MIME encryption CA : No > > CRL signing : No > > CRL signing CA : No > > Any Purpose : Yes > > Any Purpose CA : Yes > > OCSP helper : Yes > > OCSP helper CA : No > > Time Stamp signing : No > > Time Stamp signing CA : No > > Ah, that's the problem. > If you look into my PDF file I have attached in my previous message, > you will see that in the Bacula file daemon configuration, the > Director resource should use server certificate while the Filedaemon > resource should use client certificate. > > In the Bacula director configuration, the Client resource should use > server certificate. > > Please, look at the PDF document from my last post. > It should clarify things. > > > Still, Bacula does not accept this certificate and says: > > ERR=26:unsuitable certificate purpose > > It would seem that Bacula was right. :-) > > > So there is something else wrong with this certificate - but I don't > > understand what. Do I need to add other purposes (S/MIME signing > > etc) or to remove other purposes? There are so many options and I > > have > > No, but I don't think it would create an issue. > > > tried working through them and in doing so have generated about 30 > > different certificates but I have not managed to find one that will > > work. It would be good if this was documented somewhere - a clear > > description of the purposes which are required or forbidden. > > I know it's frustrating but the failure is not an option. :-) > > You are close. You have the correct configuration and you can check > the configuration for other daemons and resources in the PDF document > I have attached in my previous post. > The only problem seems to be the wrong type of certificate you are > using. When I say wrong type, I mean server vs client purpose of the > certificate. > > > > If you get stuck and will not be able make it work, could find the > > > manual procedures I used in the past (using openssl). > > > Yes, please let me know how you were creating the certificates using > > openssl. I have tried creating a CSR using openssl and then signing > > that using easyrsa or ssl-admin but had the same problems. > > Now that we have detected the source of the problem, do you still need > this openssl procedure? > I am asking because it would take some for me to compile the list of > commands and I would like to avoid it but if you need it, I'll do it. > > > If you have an existing client certificate which works, please could > > you run the following command to see which purposes it has and does > > not have. > > $ openssl x509 -in <path to cert> -purpose -noout > > Sure. > > Here is the output for the certificate used in the bacula-dir > configuration for the Client resource: > Certificate purposes: > SSL client : Yes > SSL client CA : No > SSL server : No > SSL server CA : No > Netscape SSL server : No > Netscape SSL server CA : No > S/MIME signing : No > S/MIME signing CA : No > S/MIME encryption : No > S/MIME encryption CA : No > CRL signing : No > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes > OCSP helper : Yes > OCSP helper CA : No > Time Stamp signing : No > Time Stamp signing CA : No > > This is the output for the certificate used in the bacula-fd > configuration for the Director resource: > Certificate purposes: > SSL client : No > SSL client CA : No > SSL server : Yes > SSL server CA : No > Netscape SSL server : Yes > Netscape SSL server CA : No > S/MIME signing : No > S/MIME signing CA : No > S/MIME encryption : No > S/MIME encryption CA : No > CRL signing : No > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes > OCSP helper : Yes > OCSP helper CA : No > Time Stamp signing : No > Time Stamp signing CA : No > > > I hope this helps. > > > Regards! > _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
