SSL client vs server certificates and bacula-fd

See also OpenVPN: unsupported certificate purpose.


NOTE: When using ssl-admin for Bacula:

  • use option 4 (Perform a one-step request/sign) for clients (bacula-fd)
  • use option S (Create new Signed Server certificate) for servers (bacula-sd and bacula-dir)

I know these things, but I repeatedly go to option 4 and forget….

Original post follows

Sometimes I forget about TLS / SSL / x509 certificates being available in both server and client versions, particularly when it comes to private certificate authorities. I use the security/ssl-admin port for that.

Today in particular, I spent about 2 hours trying to debug issues while adding TLS to existing Bacula clients.

I was getting this error:

29-Nov 19:13 bacula-dir JobId 299752: Start Backup JobId 299752, Job=mydev_basic.2019-11-29_19.13.09_39
29-Nov 19:13 bacula-dir JobId 299752: Using Device "vDrive-IncrFile-9" to write.
29-Nov 19:13 bacula-sd-01-sd JobId 299752: Error: openssl.c:68 Connect failure: ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
29-Nov 19:13 bacula-sd-01-sd JobId 299752: Fatal error: bnet.c:75 TLS Negotiation failed.
29-Nov 19:13 bacula-sd-01-sd JobId 299752: Fatal error: TLS negotiation failed with FD at ""
29-Nov 19:13 bacula-sd-01-sd JobId 299752: Fatal error: Incorrect authorization key from File daemon at client rejected.
For help, please see:
29-Nov 19:13 bacula-sd-01-sd JobId 299752: Security Alert: Unable to authenticate File daemon
29-Nov 19:13 bacula-dir JobId 299752: Fatal error: Bad response to Storage command: wanted 2000 OK storage
, got 2902 Bad storage

29-Nov 19:13 mydev-fd JobId 299752: Error: openssl.c:68 TLS read/write failure.: ERR=error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate

This problem was solved by creating a client certificate for the bacula-fd client at

This is not a bacula-sd issues, it’s a bacula-fd issue.

In ssl-admin terms, I used option S when I should have used option 4.

NOTE: 2023-03-18 – Today, I encountered the same issue when working with r730-03 as part of Identifying jails and data to migrade from old host to new host. I wasted about an hour before rediscovering the issue I raised 6 months ago. That led me to my saved and patched version of the script at mydev:~/tmp/ssl-admin. Running that script gave me a working version of the cert. Next task: patch ssl-admin so I don’t spend time like this again.

$ sudo ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Wed Jan 2 20:46:56 UTC 2013

#               SSL-ADMIN v1.2.1                    #
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 3650
     Current Serial #: 5C
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

While I mostly hope I remember this the next time I create certificates for bacula-fd, I also hope that when I don’t, I find this blog post.

Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top