Bacula – certificates expired

The new year started off poorly for my backups, and it is all my fault. Each of my remote servers is backed up utilizing Bacula’s TLS (Transport Layer Security) features. This requires an X.509 certificate which I obtain via CACert. These certificates have expired:

01-Jan 02:00 bacula-dir JobId 44464: Start Backup JobId 44464, Job=nyi_maildir.2011-01-01_02.00.00_07
01-Jan 02:00 bacula-dir JobId 44464: Using Device "MegaFile"
01-Jan 02:00 bacula-dir JobId 44464: Error: tls.c:92 Error with certificate at depth: 0, 
    issuer = /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root, 
    subject = /CN=nyi-vpn.example.org, ERR=10:certificate has expired
01-Jan 02:00 bacula-dir JobId 44464: Error: openssl.c:86 Connect failure: ERR=error:14090086:SSL 
    routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
01-Jan 02:00 bacula-dir JobId 44464: Fatal error: TLS negotiation failed with FD at 
    "nyi-vpn.example.org:9102".
01-Jan 02:00 bacula-dir JobId 44464: Fatal error: bsock.c:507 Packet size too big from 
    "Client: nyi-fd:nyi-vpn.example.org:9102. Terminating connection.
01-Jan 02:00 bacula-dir JobId 44464: Fatal error: No Job status returned from FD.
01-Jan 02:00 bacula-dir JobId 44464: Error: Bacula bacula-dir 5.0.3 (04Aug10): 01-Jan-2011 02:00:03

My solution is simple: renew the certificates, install them, and [perhaps] restart the bacula-fd in question.

The problem arose simply because I forgot to renew the certificates, despite reminder emails from CACert. The update was easy, but time consuming. I had to update three hosts.

Happy New Year.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top