Hello R.I. Pienaar,
On 3/11/08, R.I. Pienaar <rip@...> wrote:
> > I'm trying to get TLS to work with Bacula. I found today this excellent
> > < http://www.devco.net/pubwiki/Bacula/TLS > that covers
> > this topic quite nicely. Rather than use CAcert, for example, I've set
> up my
> thank you for your kind words on my wiki, pity you're having issues
> after following it.
Really, thank you for taking the time to write your wiki. It was very
helpful -- because I was having a hard time trying to understand TLS from
the Bacula User's Guide.
> > 11-Mar 07:11 theDirector JobId 0: Error: tls.c:95 Error with certificate
> > at depth: 0, issuer =
> > /C=us/L=city/O=theOrg/OU=orgUnit/CN=theOrg
> > CA/emailAddress=orgUnit@..., subject =
> > /C=us/L=city/O=theOrg/OU=orgUnit/CN=theUniqueCommonName,
> > ERR=26:unsupported certificate purpose
> as you say this is the root cause of the problem. Some CA's can embed
> some information into the certificates they issue about the purpose,
> such as email signing, ca signing, general server use and so forth. I
> am assuming bacula checks for this.
> My own generated certs dont have this field but your might, you can
> confirm with:
> # openssl x509 -in your.box.com.cert -text -noout
> this in your case would have something like:
> Netscape Cert Type:
> Object Signing
When I ran the command you suggest above against my my server's cert (which
is in PEM format), I got a lot of output including certificate data such as
version, serial number, signature algorithm, validity, subject, subject
public key info, etc. (the output was quite verbose). Should that be the
case? In the output, I found (related to the Netscape Cert Type per your
suggestion) only this:
Netscape Cert Type:
This Netscape Cert Type was embedded as part of the X509v3 extensions. I
didn't see anything else in the entire output about Object Signing or email
signing. I am wondering however, would it be a problem that my keys are 4096
bit? Or that my signature algorithm is SHA-256 instead of, say, SHA-1?
This is the first time I've set up my own CA (Bacula's TLS was the
motivating factor to do so) and I thought TinyCA would be a nice X11 app
with a GUI to use. I can tweak and play with the openssl.cnf configuration
and there are also other options in TinyCA but its a little bit daunting to
figure out where to start in order to appease Bacula.
Did you set up your own CA for self-signing? If so, did you do so all on the
command-line with OpenSSL instead of using a GUI like TinyCA? TinyCA ended
up calling OpenSSL so TinyCA is supposed to provide some convenience for
managing certificates, etc.
Thank you for any additional suggestions.
in there, if it does, then I guess thats your problem, you should
> adjust our CA to either not embed the type or set an appropriate one
> for general server use.