Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"
On 1/23/21 5:46 PM, Dan Langille wrote:
> On Tue, Nov 10, 2020, at 2:11 PM, David Newman wrote:
>> Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs
>> Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs
>>
>> After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly
>> backups run successfully but throw this warning:
>>
>> ERR=20:"unable to get local issuer certificate"
>>
>> This setup uses self-signed certificates and worked without errors or
>> warnings before this OS upgrade.
>>
>> There has been no bacula configuration change on either the client or
>> director . A diff of the client bacula-fd.conf file (excerpted below)
>> before and after the upgrade shows no change.
>>
>> I tried revoking the old client cert and generating a new one, but this
>> had no effect on the warning message.
>>
>> I also tried command-line "openssl s_client -connect" commands both
>> ways. Both connections worked on the respective ports 9101 and 9102.
>>
>> Besides the bacula client configuration -- which hasn't changed, aside
>> from pointing to new certs with the same filenames -- is there something
>> else that needs tweaking on the client?
>>
>> Many thanks.
>>
>> dn
>>
>> -
>>
>> client bacula-fd.conf
>>
>> Director {
>> Name = nye-dir
>> ..
>>
>> TLS Require = yes
>> TLS Enable = yes
>> TLS Verify Peer = yes
>>
>> # Allow only the Director to connect
>> TLS Allowed CN = "backups.example.com"
>> TLS CA Certificate File = /etc/bacula/cacert.pem
>> TLS Certificate = /etc/bacula/client.pem
>> TLS Key = /etc/bacula/client.key
>>
>> }
>>
>> ..
>>
>> FileDaemon {
>> Name = client-fd
>> FDport = 9102 # where we listen for the director
>> WorkingDirectory = /var/db/bacula
>> Pid Directory = /var/run
>> Maximum Concurrent Jobs = 20
>>
>> TLS Require = yes
>> TLS Enable = yes
>>
>> TLS CA Certificate File = /etc/bacula/cacert.pem
>> TLS Certificate = /etc/bacula/client.pem
>> TLS Key = /etc/bacula/client.key
>>
>> }
>
> Did you solve this one?
Sort of. The root cause is in OpenBSD 6.8's LibreSSL implementation. The
developers report it's fixed in -current but this is on a production
system, and I can wait for 6.9.
dn
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"
On Tue, Nov 10, 2020, at 2:11 PM, David Newman wrote:
> Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs
> Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs
>
> After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly
> backups run successfully but throw this warning:
>
> ERR=20:"unable to get local issuer certificate"
>
> This setup uses self-signed certificates and worked without errors or
> warnings before this OS upgrade.
>
> There has been no bacula configuration change on either the client or
> director . A diff of the client bacula-fd.conf file (excerpted below)
> before and after the upgrade shows no change.
>
> I tried revoking the old client cert and generating a new one, but this
> had no effect on the warning message.
>
> I also tried command-line "openssl s_client -connect" commands both
> ways. Both connections worked on the respective ports 9101 and 9102.
>
> Besides the bacula client configuration -- which hasn't changed, aside
> from pointing to new certs with the same filenames -- is there something
> else that needs tweaking on the client?
>
> Many thanks.
>
> dn
>
> -
>
> client bacula-fd.conf
>
> Director {
> Name = nye-dir
> ..
>
> TLS Require = yes
> TLS Enable = yes
> TLS Verify Peer = yes
>
> # Allow only the Director to connect
> TLS Allowed CN = "backups.example.com"
> TLS CA Certificate File = /etc/bacula/cacert.pem
> TLS Certificate = /etc/bacula/client.pem
> TLS Key = /etc/bacula/client.key
>
> }
>
> ..
>
> FileDaemon {
> Name = client-fd
> FDport = 9102 # where we listen for the director
> WorkingDirectory = /var/db/bacula
> Pid Directory = /var/run
> Maximum Concurrent Jobs = 20
>
> TLS Require = yes
> TLS Enable = yes
>
> TLS CA Certificate File = /etc/bacula/cacert.pem
> TLS Certificate = /etc/bacula/client.pem
> TLS Key = /etc/bacula/client.key
>
> }
Did you solve this one?
--
Dan Langille
d...@langille.org
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"
On 11/10/20 2:11 PM, David Newman wrote:
Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs
Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs
After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly
backups run successfully but throw this warning:
ERR=20:"unable to get local issuer certificate"
Perhaps a permissions issue? The bacula user doesn't have permissions to
open the certificate file for reading.
This setup uses self-signed certificates and worked without errors or
warnings before this OS upgrade.
There has been no bacula configuration change on either the client or
director . A diff of the client bacula-fd.conf file (excerpted below)
before and after the upgrade shows no change.
I tried revoking the old client cert and generating a new one, but this
had no effect on the warning message.
I also tried command-line "openssl s_client -connect" commands both
ways. Both connections worked on the respective ports 9101 and 9102.
Besides the bacula client configuration -- which hasn't changed, aside
from pointing to new certs with the same filenames -- is there something
else that needs tweaking on the client?
Many thanks.
dn
-
client bacula-fd.conf
Director {
Name = nye-dir
..
TLS Require = yes
TLS Enable = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "backups.example.com"
TLS CA Certificate File = /etc/bacula/cacert.pem
TLS Certificate = /etc/bacula/client.pem
TLS Key = /etc/bacula/client.key
}
..
FileDaemon {
Name = client-fd
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/db/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Require = yes
TLS Enable = yes
TLS CA Certificate File = /etc/bacula/cacert.pem
TLS Certificate = /etc/bacula/client.pem
TLS Key = /etc/bacula/client.key
}
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] ERR=20:"unable to get local issuer certificate"
Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs
Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs
After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly
backups run successfully but throw this warning:
ERR=20:"unable to get local issuer certificate"
This setup uses self-signed certificates and worked without errors or
warnings before this OS upgrade.
There has been no bacula configuration change on either the client or
director . A diff of the client bacula-fd.conf file (excerpted below)
before and after the upgrade shows no change.
I tried revoking the old client cert and generating a new one, but this
had no effect on the warning message.
I also tried command-line "openssl s_client -connect" commands both
ways. Both connections worked on the respective ports 9101 and 9102.
Besides the bacula client configuration -- which hasn't changed, aside
from pointing to new certs with the same filenames -- is there something
else that needs tweaking on the client?
Many thanks.
dn
-
client bacula-fd.conf
Director {
Name = nye-dir
..
TLS Require = yes
TLS Enable = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "backups.example.com"
TLS CA Certificate File = /etc/bacula/cacert.pem
TLS Certificate = /etc/bacula/client.pem
TLS Key = /etc/bacula/client.key
}
..
FileDaemon {
Name = client-fd
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/db/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Require = yes
TLS Enable = yes
TLS CA Certificate File = /etc/bacula/cacert.pem
TLS Certificate = /etc/bacula/client.pem
TLS Key = /etc/bacula/client.key
}
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
