Hi list, I tried to set up TLS for a while now. I am still clueless.
I have Ubuntu 16.04.3 LTS server Ubuntu 14.04.5 LTS client bareos-dir Version: 16.2.4 and 17.2.3 I set up a CA with those scripts comming with Ubuntu. export OPENSSL_CONF=/root/myCA/openssl.cnf /usr/lib/ssl/misc/CA.pl -newca In openssl.conf I changed countryName, commonName and so on accordingly. Rest is more or less default. keyUsage = nonRepudiation, digitalSignature, keyEncipherment. I tried other usages as well. digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly, clientAuth Then I used a different client.cnf for the certs and keys. In that the commonName is the FQDN of the client and keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly export OPENSSL_CONF=/root/myCA/client.cnf /usr/lib/ssl/misc/CA.pl -newreq But not for signing export OPENSSL_CONF=/root/myCA/openssl.cnf /usr/lib/ssl/misc/CA.pl -sign cat newkey.pem newcert.pem > test-bareos-server.pem Removed the password openssl rsa -in test-bareos-server.pem -out test-bareos-server.pem So now I got a pem file for the server itself and a root certificate. I put this in all the configuration files involved: TLS Certificate = /etc/bareos/certs/test-bareos-server.pem TLS Key = /etc/bareos/certs/test-bareos-server.pem TLS CA Certificate File = /etc/bareos/certs/cacert.pem TLS Enable = yes TLS Require = no TLS Verify Peer = no I repeated the above requesting and signing for a "real" client and again the TLS options in fd.conf. Now with client.pem of course. That didn't work. I did the whole CA, req, sign again by hand so to say. Setting up CA mkdir /root/myCA Change of IP, FQDN of the server nano openssl.cnf export OPENSSL_CONF=/root/myCA/caconfig.cnf openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem Next a client with its IP and FQDN in caconfig.cnf. openssl req -newkey rsa:4096 -subj /<IP> -config <(cat ~/myCA/caconfig.cnf) -nodes -keyout client.key -out client.csr openssl x509 -req -in client.csr -CA newroot.pem -CAkey ~/myCA/private/cakey.pem -CAcreateserial -out client.crt -days 3650 I put them together to one pem and copied it on the client. Still nothing. I even tried tinyCA and Xca. The errors are: client (started with debug level of 200) authenticate.c:74-0 Unable to authenticate Director test-bareos-dir. Server 19-Oct 17:15 test-bareos-dir JobId 0: Fatal error: Unable to authenticate with File daemon at "client-fd:9102". Possible causes: Passwords or names not the same or TLS negotiation failed or Maximum Concurrent Jobs exceeded on the FD or FD networking messed up (restart daemon). Whatever I do I always end up with these errors. Daemons are running, telnet or running jobs without TLS all OK. Anyone using TLS and has some hints? Thank you, Oliver -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
