On Dec 20, 2019, at 4:00 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 20, 2019, at 3:56 PM, Coy Hile <coy.hile@coyhile.com> wrote:
I’ve seen a strange one… I’ve created the test certs, etc, that enable the EAP configuration to work. Running radiusd -X, one sees (in relevant part): ... However, if I try to start radiusd as normal (not via -X), I end up with this behavior in the logs:
Fri Dec 20 20:46:38 2019 : Error: tls: Failed reading certificate file "/opt/local/etc/raddb/certs/server.pem": error:0906D06C:PEM routines:PEM_read_bio:no start line
That's probably file permissions. OpenSSL is notorious for terrible error messages,
Clearly, I can disable EAP (as I don’t use it at the moment) and get things working; however, I’m trying to disable as little of the default configs as possible. Is there something different in the code path when debugging is enabled vs not that is making OpenSSL libraries do something weird?
If you're running "radiusd -X" as root, and daemon mode as user radiusd, then the issue is likely file permissions.
My initial thought as well; however, even running as user radiusd, I see the same behavior; starts fine in debug mode, and bails with the cited error. Interestingly, if I run radiusd -f as root, I see the same behavior in the logs and a failure to start. Permissions _should_ be fine: [root@b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb]# ls -ld . certs drwxr-xr-x 9 root root 21 Dec 20 20:07 . drwxr-x--- 2 radiusd radiusd 35 Dec 20 20:45 certs [root@b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb]# root@b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb/certs]# ls -l server.pem -rw-r----- 1 radiusd radiusd 3659 Dec 20 19:59 server.pem [root@b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb/certs]# The file is readable by user ‘radiusd’ Hence my confusion. Clearly the passphrase in the EAP config (‘whatever’) works, else it would fail in debug mode -- Coy Hile coy.hile@coyhile.com