Mr Zesty's BrainDump

User Tools

Site Tools

Trace: OpenVPN on Debian Bacula
bacula

Table of Contents

Bacula

Generate certificates

cd /etc/bacula

The first time, generate a new CA certificate for signing 

sed -i "s/365'/3650'/" /usr/lib/ssl/misc/CA.pl
/usr/lib/ssl/misc/CA.pl -newca

Generate a CSR signing request, and then sign it. The challenge password can be empty, but be sure the Common Name matches the DNS name you will use to connect to the remote bacula-fd server! 

/usr/lib/ssl/misc/CA.pl -newreq-nodes
SSLEAY_CONFIG='-days 3650' /usr/lib/ssl/misc/CA.pl -sign

mv newkey.pem bacula-<client>.key  -OR-  head -15 newreq.pem > bacula-<client>.key
mv newcert.pem bacula-<client>.crt

copy (scp) <tt>bacula-<client>.key</tt> <tt>bacula-<client>.crt</tt> and <tt>cacert.pem</tt> to the FD client machine and change ownership/permissions. 

chmod 640 bacula-<client>.* cacert.pem
chgrp bacula bacula-<client>.* cacert.pem

Add relevant sections to the .conf files

/etc/bacula/bacula-dir.conf 

Director {
  ...
  # console --> director server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula-<client>.key
  TLS Certificate = /etc/bacula/bacula-<client>.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Client {
  ...
  # director --> file daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Storage {
  ...
  # director --> storage daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

/etc/bacula/bacula-fd.conf 

Director {
  ...
  # director --> filedaemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

FileDaemon {
  ...
  # file daemon --> storage daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula-<client>.key
  TLS Certificate = /etc/bacula/bacula-<client>.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

/etc/bacula/bacula-sd.conf 

Storage {
  ...
  # file daemon --> storage daemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

Director {
  ...
  # director --> storage daemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

/etc/bacula/bconsole.conf 

Director {
  ...
  # bconsole --> director client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
bacula.txt · Last modified: 2020/02/13 22:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki
free spam filter