Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-18 Thread Dan Langille 
If anyone is using X509v3 extensions with copy jobs, I'm keenly interested in 
the certs you are using. See below.

On Thu, Sep 14, 2023, at 2:39 PM, Dan Langille wrote:
> On Thu, Sep 14, 2023, at 2:33 PM, Martin Simmons wrote:
>>> On Tue, 12 Sep 2023 08:41:42 -0400, Dan Langille said:
>>> 
>>> >  
>>> >> 
>>> >> I ask because yesterday I started running some copy jobs. The cert used 
>>> >> by bacula-sd was acceptable for receiving backups. It was not acceptable 
>>> >> for copy jobs.
>>> >> 
>>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect 
>>> >> failure: ERR=error:1417C086:SSL 
>>> >> routines:tls_process_client_certificate:certificate verify failed
>>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS 
>>> >> Negotiation failed.
>>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation 
>>> >> failed with FD at "10.55.0.7:27230"
>>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect 
>>> >> authorization key from File daemon at client rejected.
>>> >> For help, please see: 
>>> >> http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
>>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to 
>>> >> authenticate File daemon
>>> > 
>>> > I wonder if your SD connects to itself here, and fails to validate 
>>> > itself? The log above does mention an FD at 10.55.0.7. Does that FD 
>>> > component have a certificate? maybe there's mis-match with the CN of that 
>>> > certificate and the FDAddress directive in the bacula-fd.conf file?
>>> 
>>> There is no bacula-fd at 10.55.0.7 - it is not running and not configured. 
>>> It is bacula-sd only at that IP address.
>>> 
>>> Yes, bacula-sd-04 is at  10.55.0.7 - I don't know why FD is mentioned in 
>>> the error.
>>> 
>>> From the docs 
>>> (https://bacula.org/13.0.x-manuals/en/main/Migration_Copy.html): 
>>> 
>>> The Copy and the Migration jobs run without using the File daemon by 
>>> copying the data from the old backup Volume to a different Volume in a 
>>> different Pool
>>> 
>>> My reading of that: an FD should not be involved here.
>>
>> My guess is that Copy and Migration jobs work with the reading SD pretending
>> to be an FD to send data to the writing SD.
>>
>> __Martin
>
> Tests this afternoon have confirmed that. I’m still figuring this out. 
> I might resume testing in the next few days. 

It seems the only problem is copy/migrations jobs. In this case, bacula-sd is 
sending to bacula-sd and I have been unable to configuration a cert with X509v3 
which is accepted for this task.  The errors I get are below.

These certs are good for backups, not good for copy/migration (I have tested 
only copy, but I'm sure migration will have the same problem).

If I change the certificate, and *only* the certificate, to not include X509v3 
extensions, this error does not occur.

18-Sep 21:08 bacula-dir JobId 359528: Warning: FileSet MD5 digest not found.
18-Sep 21:08 bacula-dir JobId 359528: The following 1 JobId was chosen to be 
copied: 359391
18-Sep 21:08 bacula-dir JobId 359528: Copying using JobId=359391 
Job=r730-03_basic_testing.2023-09-15_12.57.14_14
18-Sep 21:08 bacula-dir JobId 359528: Start Copying JobId 359528, 
Job=CopyToSD04-testing-deleteme.2023-09-18_21.08.04_42
18-Sep 21:08 bacula-dir JobId 359528: Using Device "vDrive-FullFile-0" to read.
18-Sep 21:08 bacula-dir JobId 359529: Using Device "vDrive-FullFile-0" to write.
18-Sep 21:08 bacula-sd-01-sd JobId 359528: Error: openssl.c:68 Connect failure: 
ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate 
verify failed
18-Sep 21:08 bacula-sd-01-sd JobId 359528: Fatal error: bnet.c:75 TLS 
Negotiation failed.
18-Sep 21:08 bacula-sd-01-sd JobId 359528: Fatal error: TLS negotiation failed 
with FD at "10.55.0.7:61827"
18-Sep 21:08 bacula-sd-01-sd JobId 359528: Fatal error: Incorrect authorization 
key from File daemon at client rejected.
For help, please see: 
http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
18-Sep 21:08 bacula-sd-01-sd JobId 359528: Security Alert: Unable to 
authenticate File daemon
18-Sep 21:08 bacula-dir JobId 359529: Fatal error: Bad response to Storage 
command: wanted 2000 OK storage
, got 2902 Bad storage

18-Sep 21:08 bacula-dir JobId 359529: Fatal error: mac.c:301 Response failure: 
storeddr=bacula-sd-01.int.unixathome.org:9103 
Job=CopyToSD04-testing-deleteme.2023-09-18_21.08.04_42
18-Sep 21:08 bacula-dir JobId 359528: Error: Bacula bacula-dir 9.6.7 (10Dec20):
  Build OS:   amd64-portbld-freebsd13.2 freebsd 13.2-RELEASE
  Prev Backup JobId:  359391
  Prev Backup Job:r730-03_basic_testing.2023-09-15_12.57.14_14
  New Backup JobId:   359529
  Current JobId:  359528
  Current Job:CopyToSD04-testing-deleteme.2023-09-18_21.08.04_42
  Backup Level:   Full
  Client: crey-fd
  FileSet:"EmptyCopyToTape" 2011-02-20 20:53:31

Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-14 Thread Dan Langille 
On Thu, Sep 14, 2023, at 2:33 PM, Martin Simmons wrote:
>> On Tue, 12 Sep 2023 08:41:42 -0400, Dan Langille said:
>> 
>> >  
>> >> 
>> >> I ask because yesterday I started running some copy jobs. The cert used 
>> >> by bacula-sd was acceptable for receiving backups. It was not acceptable 
>> >> for copy jobs.
>> >> 
>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect 
>> >> failure: ERR=error:1417C086:SSL 
>> >> routines:tls_process_client_certificate:certificate verify failed
>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS 
>> >> Negotiation failed.
>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation 
>> >> failed with FD at "10.55.0.7:27230"
>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect 
>> >> authorization key from File daemon at client rejected.
>> >> For help, please see: 
>> >> http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
>> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to 
>> >> authenticate File daemon
>> > 
>> > I wonder if your SD connects to itself here, and fails to validate itself? 
>> > The log above does mention an FD at 10.55.0.7. Does that FD component have 
>> > a certificate? maybe there's mis-match with the CN of that certificate and 
>> > the FDAddress directive in the bacula-fd.conf file?
>> 
>> There is no bacula-fd at 10.55.0.7 - it is not running and not configured. 
>> It is bacula-sd only at that IP address.
>> 
>> Yes, bacula-sd-04 is at  10.55.0.7 - I don't know why FD is mentioned in the 
>> error.
>> 
>> From the docs 
>> (https://bacula.org/13.0.x-manuals/en/main/Migration_Copy.html): 
>> 
>> The Copy and the Migration jobs run without using the File daemon by copying 
>> the data from the old backup Volume to a different Volume in a different Pool
>> 
>> My reading of that: an FD should not be involved here.
>
> My guess is that Copy and Migration jobs work with the reading SD pretending
> to be an FD to send data to the writing SD.
>
> __Martin

Tests this afternoon have confirmed that. I’m still figuring this out. I might 
resume testing in the next few days. 

-- 
  Dan Langille
  d...@langille.org


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-14 Thread Martin Simmons 
> On Tue, 12 Sep 2023 08:41:42 -0400, Dan Langille said:
> 
> >  
> >> 
> >> I ask because yesterday I started running some copy jobs. The cert used by 
> >> bacula-sd was acceptable for receiving backups. It was not acceptable for 
> >> copy jobs.
> >> 
> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect 
> >> failure: ERR=error:1417C086:SSL 
> >> routines:tls_process_client_certificate:certificate verify failed
> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS 
> >> Negotiation failed.
> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation 
> >> failed with FD at "10.55.0.7:27230"
> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect 
> >> authorization key from File daemon at client rejected.
> >> For help, please see: 
> >> http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
> >> 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to 
> >> authenticate File daemon
> > 
> > I wonder if your SD connects to itself here, and fails to validate itself? 
> > The log above does mention an FD at 10.55.0.7. Does that FD component have 
> > a certificate? maybe there's mis-match with the CN of that certificate and 
> > the FDAddress directive in the bacula-fd.conf file?
> 
> There is no bacula-fd at 10.55.0.7 - it is not running and not configured. It 
> is bacula-sd only at that IP address.
> 
> Yes, bacula-sd-04 is at  10.55.0.7 - I don't know why FD is mentioned in the 
> error.
> 
> From the docs 
> (https://bacula.org/13.0.x-manuals/en/main/Migration_Copy.html): 
> 
> The Copy and the Migration jobs run without using the File daemon by copying 
> the data from the old backup Volume to a different Volume in a different Pool
> 
> My reading of that: an FD should not be involved here.

My guess is that Copy and Migration jobs work with the reading SD pretending
to be an FD to send data to the writing SD.

__Martin


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-12 Thread Dan Langille 
On Tue, Sep 12, 2023, at 6:23 AM, Vanush "Misha" Paturyan wrote:
> On Mon, 11 Sept 2023 at 20:19, Dan Langille  wrote:
>> 
>> Yes, I think it's SSL erroring out, I agree with your theory.
>> 
>> Which means: what Key Usage needs to be included for each of:
>> 
>> * bacula-fd
>> * bacula-sd
>> * bacula-dir
>> 
>> Thank you for sharing your details.  Is this cert used with bacula-sd or 
>> bacula-fd?
> 
> That was a certificate from bacula-fd. bacula-sd certificate has the same 
> extensions (Key Usage: Digital Signature, Non Repudiation, Key Encipherment, 
> Data Encipherment). Its CN matches the value of SDAddress in the `Storage` 
> section of bacula-sd.conf file. For completeness, the TLS related entries in 
> that file are:
> TLS Enable = yes
> TLS Require = no
> TLS Verify Peer = yes
> TLS CA Certificate = 
> TLS Certificate = 
> TLS Key =  

We differ only in TLS Require

One thing I just realized: There are two clauses in configuration files, each 
of which can take a certificate. Until now, I never considered that each one 
could be a different cert; one client, one server.

Let me us my bacula-sd as an example:

Storage {
Name = "bacula-sd-04"

TLS Certificate = server key goes here
}

Director {
Name = "bacula-dir"
TLS Certificate = client cert goes here
}

Perhaps that is what I need to investigate.  Also, I could look into a a 
dual-use certificate: it's
possible for the EKU to assert both "Web Client" and "Web Server"

>  
>> 
>> I ask because yesterday I started running some copy jobs. The cert used by 
>> bacula-sd was acceptable for receiving backups. It was not acceptable for 
>> copy jobs.
>> 
>> 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect failure: 
>> ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate 
>> verify failed
>> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS 
>> Negotiation failed.
>> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation failed 
>> with FD at "10.55.0.7:27230"
>> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect authorization 
>> key from File daemon at client rejected.
>> For help, please see: 
>> http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
>> 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to 
>> authenticate File daemon
> 
> I wonder if your SD connects to itself here, and fails to validate itself? 
> The log above does mention an FD at 10.55.0.7. Does that FD component have a 
> certificate? maybe there's mis-match with the CN of that certificate and the 
> FDAddress directive in the bacula-fd.conf file?

There is no bacula-fd at 10.55.0.7 - it is not running and not configured. It 
is bacula-sd only at that IP address.

Yes, bacula-sd-04 is at  10.55.0.7 - I don't know why FD is mentioned in the 
error.

>From the docs (https://bacula.org/13.0.x-manuals/en/main/Migration_Copy.html): 

The Copy and the Migration jobs run without using the File daemon by copying 
the data from the old backup Volume to a different Volume in a different Pool

My reading of that: an FD should not be involved here.

--
  Dan Langille
  d...@langille.org

___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-12 Thread Vanush "Misha" Paturyan 
On Mon, 11 Sept 2023 at 20:19, Dan Langille  wrote:

>
> Yes, I think it's SSL erroring out, I agree with your theory.
>
> Which means: what Key Usage needs to be included for each of:
>
> * bacula-fd
> * bacula-sd
> * bacula-dir
>
> Thank you for sharing your details.  Is this cert used with bacula-sd or
> bacula-fd?
>

That was a certificate from bacula-fd. bacula-sd certificate has the same
extensions (Key Usage: Digital Signature, Non Repudiation, Key
Encipherment, Data Encipherment). Its CN matches the value of SDAddress in
the `Storage` section of bacula-sd.conf file. For completeness, the TLS
related entries in that file are:
TLS Enable = yes
TLS Require = no
TLS Verify Peer = yes
TLS CA Certificate = 
TLS Certificate = 
TLS Key = 


> I ask because yesterday I started running some copy jobs. The cert used by
> bacula-sd was acceptable for receiving backups. It was not acceptable for
> copy jobs.
>
> 09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect
> failure: ERR=error:1417C086:SSL
> routines:tls_process_client_certificate:certificate verify failed
> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS
> Negotiation failed.
> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation
> failed with FD at "10.55.0.7:27230"
> 09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect
> authorization key from File daemon at client rejected.
> For help, please see:
> http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
> 09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to
> authenticate File daemon
>

I wonder if your SD connects to itself here, and fails to validate itself?
The log above does mention an FD at 10.55.0.7. Does that FD component have
a certificate? maybe there's mis-match with the CN of that certificate and
the FDAddress directive in the bacula-fd.conf file?

Misha
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-11 Thread Dan Langille 
> On Sep 11, 2023, at 12:14 PM, Vanush Misha Paturyan  wrote:
> 
> Hello Dan,
> 
> On Sat, 9 Sept 2023 at 12:39, Dan Langille  > wrote:
>> Hello,
>> 
>> Is anyone using self-signed certificates using X509v3 extensions?
>> 
>> To be clear: I am not trying to make use of X509v3 extensions for any 
>> particular purpose - A recent upgrade to the tool I am using recently 
>> started X509v3 extensions
>> 
> 
> Our system works with sellf-signed certificates with X509v3 extensions. 
> here's what the extensions look like on our setup:
> 
> X509v3 extensions:
> X509v3 Subject Key Identifier: 
> 5E:67:4E:42:8B:F3:3B:8E:F4:C4:BE:B9:29:B3:5E:41:DC:DE:12:81
> X509v3 Authority Key Identifier: 
> 
> keyid:88:38:87:5E:B1:E0:FF:59:98:BB:0F:2F:8B:55:F5:E0:85:E1:82:9D
> DirName:/C=IE/ST=Co Kildare/L=Maynooth/O=Maynooth 
> University/OU=Computer Science Department/CN=CS Dept Internal 
> CA/emailAddress=supp...@cs.nuim.ie 
> serial:CC:A9:72:5F:96:CF:3B:53
> 
> X509v3 Basic Constraints: 
> CA:FALSE
> X509v3 Key Usage: 
> Digital Signature, Non Repudiation, Key Encipherment, Data 
> Encipherment
> X509v3 CRL Distribution Points: 
> 
> Full Name:
>   URI:http://www.cs.nuim.ie/nuimcs.crl
> 
> Comparing to your example, I don't have the "Extended Key Usage" part, and I 
> don't remember why is there Subject Key Identifier and Authority Key 
> Identifier extensions: something wasn't working without them, but I can't 
> find my notes from when I was setting up our internal "CA", so have no idea 
> if it was related to Bacula or not.
> 
> But I have a feeling it is not bacula that is failing: this 
> "ERR=error:1416F086:SSL routines:tls_process_server_certificate:certificate 
> verify failed" feels like it is coming from the SSL library?
> 

Yes, I think it's SSL erroring out, I agree with your theory.

Which means: what Key Usage needs to be included for each of:

* bacula-fd
* bacula-sd
* bacula-dir

Thank you for sharing your details.  Is this cert used with bacula-sd or 
bacula-fd?

I ask because yesterday I started running some copy jobs. The cert used by 
bacula-sd was acceptable for receiving backups. It was not acceptable for copy 
jobs.

09-Sep 10:19 bacula-sd-04 JobId 358322: Error: openssl.c:68 Connect failure: 
ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate 
verify failed
09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: bnet.c:75 TLS Negotiation 
failed.
09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: TLS negotiation failed 
with FD at "10.55.0.7:27230"
09-Sep 10:19 bacula-sd-04 JobId 358322: Fatal error: Incorrect authorization 
key from File daemon at client rejected.
For help, please see: 
http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html
09-Sep 10:19 bacula-sd-04 JobId 358322: Security Alert: Unable to authenticate 
File daemon

I've been using 10.55.0.7 (bacula-sd-04.int.unixathome.org) – for backups for 
some time. This was the first copy job.

* it is not the password - I changed it, got a different error
* I change the cert to the type used on a bacula-sd (ie. client cert), that 
worked fine

I'm sure I need to change the extensions I am using.

— 
Dan Langille
http://langille .org/





___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS using certs with X509v3 extensions

2023-09-11 Thread Vanush "Misha" Paturyan 
Hello Dan,

On Sat, 9 Sept 2023 at 12:39, Dan Langille  wrote:

> Hello,
>
> Is anyone using self-signed certificates using X509v3 extensions?
>
> To be clear: I am not trying to make use of X509v3 extensions for any
> particular purpose - A recent upgrade to the tool I am using recently
> started X509v3 extensions
>
>
Our system works with sellf-signed certificates with X509v3 extensions.
here's what the extensions look like on our setup:

X509v3 extensions:
X509v3 Subject Key Identifier:
5E:67:4E:42:8B:F3:3B:8E:F4:C4:BE:B9:29:B3:5E:41:DC:DE:12:81
X509v3 Authority Key Identifier:

keyid:88:38:87:5E:B1:E0:FF:59:98:BB:0F:2F:8B:55:F5:E0:85:E1:82:9D
DirName:/C=IE/ST=Co Kildare/L=Maynooth/O=Maynooth
University/OU=Computer Science Department/CN=CS Dept Internal
CA/emailAddress=supp...@cs.nuim.ie
serial:CC:A9:72:5F:96:CF:3B:53

X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 CRL Distribution Points:

Full Name:
  URI:http://www.cs.nuim.ie/nuimcs.crl

Comparing to your example, I don't have the "Extended Key Usage" part, and
I don't remember why is there Subject Key Identifier and Authority Key
Identifier extensions: something wasn't working without them, but I can't
find my notes from when I was setting up our internal "CA", so have no idea
if it was related to Bacula or not.

But I have a feeling it is not bacula that is failing: this
"ERR=error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed" feels
like it is coming from the SSL library?

Hope this info helps!

Misha
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

[Bacula-users] TLS using certs with X509v3 extensions

2023-09-09 Thread Dan Langille 
Hello,

Is anyone using self-signed certificates using X509v3 extensions?

To be clear: I am not trying to make use of X509v3 extensions for any 
particular purpose - A recent upgrade to the tool I am using recently started 
X509v3 extensions

I ask because so far I have been unable to get TLS working when using X509v3 
extensions on a certificate used by bacula-fd

If I use a certificate with X509v3 extensions bacula-fd, I get these types of 
messages:

08-Sep 12:47 bacula-dir JobId 358290: Error: tls.c:96 Error with certificate at 
depth: 0, issuer = /C=US/ST=PA/L=Media/O=BSD Cabal Headquarters/CN=BSD Cabal 
Headquarters/emailAddress=d...@langille.org 
, subject = 
/C=US/ST=PA/O=BSD Cabal 
Headquarters/CN=r730-03.int.unixathome.org/emailAddress=d...@langille.org 
,
 ERR=26:unsupported certificate purpose
08-Sep 12:47 bacula-dir JobId 358290: Error: openssl.c:68 Connect failure: 
ERR=error:1416F086:SSL routines:tls_process_server_certificate:certificate 
verify failed
08-Sep 12:47 bacula-dir JobId 358290: Fatal error: TLS negotiation failed with 
FD at "r730-03.int.unixathome.org:9102 
".
08-Sep 12:47 bacula-dir JobId 358290: Fatal error: bsock.c:520 Packet 
size=386073346 too big from "Client: r730-03-fd:r730-03.int.unixathome.org:9102 
". Maximum permitted 100. 
Terminating connection.

If I move back to certificate without X509v3 extensions, the backups succeed.

At first, I thought "unsupported certificate purpose" meant client versus 
server type certs, but no that was not it. That brought in a new type of error. 
 See https://dan.langille.org/2023/09/09/getting-the-right-type-of-certificate/ 


What X509v3 extensions you might ask? These.

X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
X509v3 Key Usage: 
Digital Signature, Non Repudiation, Key Encipherment, Key 
Agreement
X509v3 Extended Key Usage: 
TLS Web Client Authentication
X509v3 CRL Distribution Points: 

Full Name:
  URI:http://CRL_URI 
Ideas welcome.

-- 
Dan Langille
d...@langille.org 


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users