Sometimes I forget about TLS / SSL / x509 certificates being available in both server and client versions, particularly when it comes to private certificate authorities. I use the security/ssl-admin port for that.
Today in particular, I spent about 2 hours trying to debug issues while adding TLS to existing Bacula clients.
I was getting this error:
29-Nov 19:13 bacula-dir JobId 299752: Start Backup JobId 299752, Job=mydev_basic.2019-11-29_19.13.09_39 29-Nov 19:13 bacula-dir JobId 299752: Using Device "vDrive-IncrFile-9" to write. 29-Nov 19:13 bacula-sd-01-sd JobId 299752: Error: openssl.c:68 Connect failure: ERR=error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 29-Nov 19:13 bacula-sd-01-sd JobId 299752: Fatal error: bnet.c:75 TLS Negotiation failed. 29-Nov 19:13 bacula-sd-01-sd JobId 299752: Fatal error: TLS negotiation failed with FD at "203.0.113.16:55660" 29-Nov 19:13 bacula-sd-01-sd JobId 299752: Fatal error: Incorrect authorization key from File daemon at client rejected. For help, please see: http://www.bacula.org/rel-manual/en/problems/Bacula_Frequently_Asked_Que.html 29-Nov 19:13 bacula-sd-01-sd JobId 299752: Security Alert: Unable to authenticate File daemon 29-Nov 19:13 bacula-dir JobId 299752: Fatal error: Bad response to Storage command: wanted 2000 OK storage , got 2902 Bad storage 29-Nov 19:13 mydev-fd JobId 299752: Error: openssl.c:68 TLS read/write failure.: ERR=error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate
This problem was solved by creating a client certificate for the bacula-fd client at 203.0.113.16.
This is not a bacula-sd issues, it’s a bacula-fd issue.
In ssl-admin terms, I used option S when I should have used option 4.
$ sudo ssl-admin This program will walk you through requesting, signing, organizing and revoking SSL certificates. ssl-admin installed Wed Jan 2 20:46:56 UTC 2013 ===================================================== # SSL-ADMIN v1.2.1 # ===================================================== Please enter the menu option from the following list: 1) Update run-time options: Key Duration (days): 3650 Current Serial #: 5C Key Size (bits): 4096 Intermediate CA Signing: NO 2) Create new Certificate Request 3) Sign a Certificate Request 4) Perform a one-step request/sign 5) Revoke a Certificate 6) Renew/Re-sign a past Certificate Request 7) View current Certificate Revokation List 8) View index information for certificate. i) Generate a user config with in-line certifcates and keys. z) Zip files for end user. dh) Generate Diffie Hellman parameters. CA) Create new Self-Signed CA certificate. S) Create new Signed Server certificate. q) Quit ssl-admin
While I mostly hope I remember this the next time I create certificates for bacula-fd, I also hope that when I don’t, I find this blog post.