Solving the SSL problem in CVS head

Peter Nixon listuser at peternixon.net
Tue May 8 16:40:25 CEST 2007 

On Wed 25 Apr 2007, Alan DeKok wrote:
>   I had an idea on the way home last night.  It's now implemented, and
> it's pretty cool.
>
>   In eap.conf, the tls, ttls, and peap sections are now enabled in the
> default install.
>
>   The EAP module ignores them if OpenSSL wasn't found during the build.
>
>   The tls module now has a configuration entry "make_cert_command".
>
>   raddb/certs/bootstrap is a shell script that runs "make".
>
>   On initial boot in debugging mode after "make install", the server
> loads the tls module (if OpenSSL was found).  The TLS module sees that
> there's a "make_cert_command", and it's in debugging mode, and no server
> certificate exists.
>
>   It then runs the "make_cert_command" to create the certificates, and
> continues with its normal startup.
>
>   This means that all of the annoying fighting with stupid certificates
> to get EAP-TLS to work is *gone*.  Just install OpenSSL, install the
> server, and start the server.  EAP-TLS, TTLS, and PEAP will Just Work.
>
>   This makes me happy.  It should make the server MUCH easier to deploy.

This is all cool, except my rpms no longer work by default :-D

A new install on a clean server of last night's snapshot rpm gives the 
following on first start:

Tue May  8 14:31:08 2007 : Info: FreeRADIUS Version 2.0.0-pre0, for host 
i686-pc-linux-gnu, built on May  8 2007 at 11:17:58
Tue May  8 14:31:08 2007 : Info: Starting - reading configuration files ...
Tue May  8 14:31:08 2007 : Info: rlm_exec: wait=yes but no output defined. 
Did you mean output=none?
Tue May  8 14:31:08 2007 : Info: rlm_eap_tls: Loading the certificate file as 
a chain
Tue May  8 14:31:08 2007 : Error: rlm_eap: SSL error error:0200100D:system 
library:fopen:Permission denied
Tue May  8 14:31:08 2007 : Error: rlm_eap_tls: Error reading certificate 
file /etc/raddb/certs/server.pem
Tue May  8 14:31:08 2007 : Error: rlm_eap: Failed to initialize type tls
Tue May  8 14:31:08 2007 : Error: radiusd.conf[10]: eap: Module instantiation 
failed.
Tue May  8 14:31:08 2007 : Error: radiusd.conf[2129] Failed to find 
module "eap".
Tue May  8 14:31:08 2007 : Error: radiusd.conf[2076] Failed to parse 
authenticate section.
Tue May  8 14:31:08 2007 : Error: Errors setting up modules

Note that radiusd does not have permission to write to /etc/raddb with the 
default install of my rpms, and in my opinion should not need to have 
permission:

# ls -la /etc/raddb/certs
total 33
drw-r----- 2 root radiusd  248 2007-05-08 14:28 .
drwxr-xr-x 4 root root     816 2007-05-08 14:28 ..
-rw-r----- 1 root radiusd  297 2007-05-08 11:18 bootstrap
-rw-r----- 1 root radiusd 1155 2007-05-08 11:18 ca.cnf
-rw-r----- 1 root radiusd 1109 2007-05-08 11:18 client.cnf
-rw-r----- 1 root radiusd 4181 2007-05-08 11:18 Makefile
-rw-r----- 1 root radiusd 4063 2007-05-08 11:18 README
-rw-r----- 1 root radiusd 1123 2007-05-08 11:18 server.cnf
-rw-r----- 1 root radiusd  514 2007-05-08 11:18 xpextensions

Should I run "raddb/certs/bootstrap" during rpm build? On initial install?

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

More information about the Freeradius-Devel mailing list