Just a help message if someone else try and failed ... I've made a test with a new dedicated ca, and everything was working quite fine. When I activated the last configuration option TLS Certification Revocation List = /etc/bareos/tls/crl.pem
I'm getting error of connection. A message like this is shown by bconsole (bconsole output attachement) Quite hard to understand why it is failing :-) playing with openssl you will discover that error 3 is when crl in not included with CA file. openssl verify -verbose -issuer_checks -crl_check_all -CAfile /etc/bareos/ tls/ca.pem /etc/bareos/tls/earth.pem /etc/bareos/tls/earth.pem: C = CH, ST = Jura, L = Charmoille, O = Bareos by Ioda-Net Sarl, OU = Training, CN = earth.bareos.local, emailAddress = [email protected] error 29 at 0 depth lookup:subject issuer mismatch C = CH, ST = Jura, L = Charmoille, O = Bareos by Ioda-Net Sarl, OU = Training, CN = earth.bareos.local, emailAddress = [email protected] error 29 at 0 depth lookup:subject issuer mismatch C = CH, ST = Jura, L = Charmoille, O = Bareos by Ioda-Net Sarl, OU = Training, CN = earth.bareos.local, emailAddress = [email protected] error 29 at 0 depth lookup:subject issuer mismatch C = CH, ST = Jura, L = Charmoille, O = Bareos by Ioda-Net Sarl, OU = Training, CN = earth.bareos.local, emailAddress = [email protected] error 3 at 0 depth lookup:unable to get certificate CRL the last line is the one we want to resolve (error 29 is dated from 2003 in openssl :-) http://openssl.6102.n7.nabble.com/Subject-Issuer-Mismatch-Bug-tp26076p26086.html If you bundle your ca.pem with your crl.pem then the check will work openssl verify -verbose -issuer_checks -crl_check_all -CAfile /etc/bareos/tls/ ca.pem /etc/bareos/tls/earth.pem /etc/bareos/tls/earth.pem: C = CH, ST = Jura, L = Charmoille, O = Bareos by Ioda-Net Sarl, OU = Training, CN = earth.bareos.local, emailAddress = [email protected] [snip error 29] OK then of course the rest of you bareos will work. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot openSUSE Tumbleweed (20160810) (x86_64) Linux 4.6.4-2-default x86_64 GNU/Linux, nvidia: 367.35 Qt: 5.6.1, KDE Frameworks: 5.24.0, Plasma: 5.7.2, kmail2 5.2.3 -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
bconsole -d 100 Connecting to Director earth.bareos.local:9101 bconsole (100): bsock_tcp.c:230-0 Current host[ipv4;10.10.10.100;9101] All host[ipv4;10.10.10.100;9101] bconsole (100): bsock_tcp.c:153-0 who=Director daemon host=earth.bareos.local port=9101 bconsole (100): cram-md5.c:123-0 cram-get received: auth cram-md5 <1427539469.1471012921@earth-dir> ssl=2 bconsole (99): cram-md5.c:143-0 sending resp to challenge: W89mP+Y6Dy+/o4+a49/rPD bconsole (50): cram-md5.c:75-0 send: auth cram-md5 <1878979685.1471012921@bconsole> ssl=2 bconsole (50): cram-md5.c:94-0 Authenticate OK GD+dfD++U5+9f5/iaG/0aD 12-aoû 16:42 bconsole JobId 0: Error: tls_openssl.c:354 Error with certificate at depth: 0, issuer = /C=CH/ST=Jura/L=Charmoille/O=Bareos by Ioda-Net Sarl/OU=Training/CN=bareos.local/[email protected], subject = /C=CH/ST=Jura/L=Charmoille/O=Bareos by Ioda-Net Sarl/OU=Training/CN=earth.bareos.local/[email protected], ERR=3:unable to get certificate CRL bconsole (50): crypto_openssl.c:1485-0 jcr=0 Connect failure: ERR=error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Authorization problem with Director at "earth.bareos.local:9101" Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake.
