Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"
On 1/23/21 5:46 PM, Dan Langille wrote: > On Tue, Nov 10, 2020, at 2:11 PM, David Newman wrote: >> Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs >> Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs >> >> After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly >> backups run successfully but throw this warning: >> >> ERR=20:"unable to get local issuer certificate" >> >> This setup uses self-signed certificates and worked without errors or >> warnings before this OS upgrade. >> >> There has been no bacula configuration change on either the client or >> director . A diff of the client bacula-fd.conf file (excerpted below) >> before and after the upgrade shows no change. >> >> I tried revoking the old client cert and generating a new one, but this >> had no effect on the warning message. >> >> I also tried command-line "openssl s_client -connect" commands both >> ways. Both connections worked on the respective ports 9101 and 9102. >> >> Besides the bacula client configuration -- which hasn't changed, aside >> from pointing to new certs with the same filenames -- is there something >> else that needs tweaking on the client? >> >> Many thanks. >> >> dn >> >> - >> >> client bacula-fd.conf >> >> Director { >> Name = nye-dir >> .. >> >> TLS Require = yes >> TLS Enable = yes >> TLS Verify Peer = yes >> >> # Allow only the Director to connect >> TLS Allowed CN = "backups.example.com" >> TLS CA Certificate File = /etc/bacula/cacert.pem >> TLS Certificate = /etc/bacula/client.pem >> TLS Key = /etc/bacula/client.key >> >> } >> >> .. >> >> FileDaemon { >> Name = client-fd >> FDport = 9102 # where we listen for the director >> WorkingDirectory = /var/db/bacula >> Pid Directory = /var/run >> Maximum Concurrent Jobs = 20 >> >> TLS Require = yes >> TLS Enable = yes >> >> TLS CA Certificate File = /etc/bacula/cacert.pem >> TLS Certificate = /etc/bacula/client.pem >> TLS Key = /etc/bacula/client.key >> >> } > > Did you solve this one? Sort of. The root cause is in OpenBSD 6.8's LibreSSL implementation. The developers report it's fixed in -current but this is on a production system, and I can wait for 6.9. dn ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"
On Tue, Nov 10, 2020, at 2:11 PM, David Newman wrote: > Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs > Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs > > After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly > backups run successfully but throw this warning: > > ERR=20:"unable to get local issuer certificate" > > This setup uses self-signed certificates and worked without errors or > warnings before this OS upgrade. > > There has been no bacula configuration change on either the client or > director . A diff of the client bacula-fd.conf file (excerpted below) > before and after the upgrade shows no change. > > I tried revoking the old client cert and generating a new one, but this > had no effect on the warning message. > > I also tried command-line "openssl s_client -connect" commands both > ways. Both connections worked on the respective ports 9101 and 9102. > > Besides the bacula client configuration -- which hasn't changed, aside > from pointing to new certs with the same filenames -- is there something > else that needs tweaking on the client? > > Many thanks. > > dn > > - > > client bacula-fd.conf > > Director { > Name = nye-dir > .. > > TLS Require = yes > TLS Enable = yes > TLS Verify Peer = yes > > # Allow only the Director to connect > TLS Allowed CN = "backups.example.com" > TLS CA Certificate File = /etc/bacula/cacert.pem > TLS Certificate = /etc/bacula/client.pem > TLS Key = /etc/bacula/client.key > > } > > .. > > FileDaemon { > Name = client-fd > FDport = 9102 # where we listen for the director > WorkingDirectory = /var/db/bacula > Pid Directory = /var/run > Maximum Concurrent Jobs = 20 > > TLS Require = yes > TLS Enable = yes > > TLS CA Certificate File = /etc/bacula/cacert.pem > TLS Certificate = /etc/bacula/client.pem > TLS Key = /etc/bacula/client.key > > } Did you solve this one? -- Dan Langille d...@langille.org ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] ERR=20:"unable to get local issuer certificate"
On 11/10/20 2:11 PM, David Newman wrote: Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly backups run successfully but throw this warning: ERR=20:"unable to get local issuer certificate" Perhaps a permissions issue? The bacula user doesn't have permissions to open the certificate file for reading. This setup uses self-signed certificates and worked without errors or warnings before this OS upgrade. There has been no bacula configuration change on either the client or director . A diff of the client bacula-fd.conf file (excerpted below) before and after the upgrade shows no change. I tried revoking the old client cert and generating a new one, but this had no effect on the warning message. I also tried command-line "openssl s_client -connect" commands both ways. Both connections worked on the respective ports 9101 and 9102. Besides the bacula client configuration -- which hasn't changed, aside from pointing to new certs with the same filenames -- is there something else that needs tweaking on the client? Many thanks. dn - client bacula-fd.conf Director { Name = nye-dir .. TLS Require = yes TLS Enable = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = "backups.example.com" TLS CA Certificate File = /etc/bacula/cacert.pem TLS Certificate = /etc/bacula/client.pem TLS Key = /etc/bacula/client.key } .. FileDaemon { Name = client-fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/db/bacula Pid Directory = /var/run Maximum Concurrent Jobs = 20 TLS Require = yes TLS Enable = yes TLS CA Certificate File = /etc/bacula/cacert.pem TLS Certificate = /etc/bacula/client.pem TLS Key = /etc/bacula/client.key } ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] ERR=20:"unable to get local issuer certificate"
Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly backups run successfully but throw this warning: ERR=20:"unable to get local issuer certificate" This setup uses self-signed certificates and worked without errors or warnings before this OS upgrade. There has been no bacula configuration change on either the client or director . A diff of the client bacula-fd.conf file (excerpted below) before and after the upgrade shows no change. I tried revoking the old client cert and generating a new one, but this had no effect on the warning message. I also tried command-line "openssl s_client -connect" commands both ways. Both connections worked on the respective ports 9101 and 9102. Besides the bacula client configuration -- which hasn't changed, aside from pointing to new certs with the same filenames -- is there something else that needs tweaking on the client? Many thanks. dn - client bacula-fd.conf Director { Name = nye-dir .. TLS Require = yes TLS Enable = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = "backups.example.com" TLS CA Certificate File = /etc/bacula/cacert.pem TLS Certificate = /etc/bacula/client.pem TLS Key = /etc/bacula/client.key } .. FileDaemon { Name = client-fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/db/bacula Pid Directory = /var/run Maximum Concurrent Jobs = 20 TLS Require = yes TLS Enable = yes TLS CA Certificate File = /etc/bacula/cacert.pem TLS Certificate = /etc/bacula/client.pem TLS Key = /etc/bacula/client.key } ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users