On Wed, Oct 14, 2009 at 07:07:59PM +0100, Alan Buxey wrote:
Hi,
Hello Alan, thanks for the response.
I have a question regarding bootstrapping default certificates using bootstrap script in raddb/certs directory.
Ideally once you've used the bootstrap you would remove the script that makes them from the eap.conf and then thats done.
even better, you dont use the boostrap script at all and instead install a proper CA, server.crt file etc
the boostrap is really only there to get a test server up and running quickly - you wouldnt want a snakeoil and very low timescale certificate to be used in production :-)
I completely agree with you. However, there is still an issue that bootstrap script does IMHO something different than what is described in the README. To be more specific: I work on packaging freeradius server RPM. The README explictly states that "This bootstrap script SHOULD be run on installation of any pre-built binary package for your OS." I understand that it should be ran automatically in the %post section, like in the suse spec file included in the tarball. This leads to two problems: - if the user runs bootstrap script manually after installation, the certificates get corrupted - if the user performs upgrade of the package, the certificates get corrupted - this is worse than the first problem, since the user might already have his 'production' certificates installed. So I suggest either to 1) do not recommend running the bootstrap script automatically and force the user to run it manually or 2) fix the bootstrap script and/or Makefile to do nothing if the required files already exist. -- Best regards / s pozdravem Petr Uzel, openSUSE Boosters Team ----------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: puzel@suse.cz Lihovarská 1060/12 http://www.suse.cz 190 00 Prague 9, CR