Problems with bootstrapping certificates
Hi list, I have a question regarding bootstrapping default certificates using bootstrap script in raddb/certs directory. From the README: ------ $ radiusd -X That will cause the EAP-TLS module to run the "bootstrap" script in this directory. The script will be executed only once, the first time the server has been installed on a particular machine. This bootstrap script SHOULD be run on installation of any pre-built binary package for your OS. In any case, the script will ensure that it is not run twice, and that it does not over-write any existing certificates. ------ If I understand that right, it means that when I run the script twice, then generated certificates should not be changed (provided the *.cnf files did not change. But I observe something different: =======> cd raddb/certs/ =======> ./bootstrap openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time <SNIP> MAC verified OK openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der Everything OK so far =======> touch *.cnf =======> ./bootstrap openssl req -new -out server.csr -keyout server.key -config ./server.cnf Generating a 2048 bit RSA private key <SNIP> writing new private key to 'server.key' ----- openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key <SNIP> writing new private key to 'ca.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Oct 14 15:10:57 2009 GMT Not After : Oct 14 15:10:57 2010 GMT Subject: countryName = FR stateOrProvinceName = Radius organizationName = Example Inc. commonName = Example Server Certificate emailAddress = admin@example.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Oct 14 15:10:57 2010 GMT (365 days) failed to update database TXT_DB error number 2 make: *** [server.crt] Error 1 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time <SNIP> Generating a 2048 bit RSA private key ................................................+++ .....+++ writing new private key to 'server.key' ----- Generating a 2048 bit RSA private key .............................................................+++ .........................+++ writing new private key to 'ca.key' ----- Generating a 2048 bit RSA private key ........................+++ ...............+++ writing new private key to 'ca.key' ----- Using configuration from ./server.cnf Check that the request matches the signature Signature ok ERROR:Serial number 01 has already been issued, check the database/serial_file for corruption The matching entry has the following details Type :Valid Expires on :101014151025Z Serial Number :01 File name :unknown Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.com Please notice that generating server.crt failed with "TXT_DB error number 2". Thus after issuing the ./bootstrap command for the second time, the server.crt file is empty. If I change unique_subject=yes to unique_subject=no in index.txt.attr before issuing second ./bootstrap, then the script finishes without errors, but I'm not sure the resulting files are correct. I have to admit that my knowledge of openssl is very limited, but as far as I understand that, this behavior is a bug, or at least it does not conform to the documentation. I would expect that the bootstrap/Makefile would simply do nothing if the required certificates are already present, no matter what are the timestamps of *.cnf files. The testing was done with current git master branch. -- Best regards / s pozdravem Petr Uzel, openSUSE Boosters Team ----------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: puzel@suse.cz Lihovarská 1060/12 http://www.suse.cz 190 00 Prague 9, CR
Hi,
I have a question regarding bootstrapping default certificates using bootstrap script in raddb/certs directory.
Ideally once you've used the bootstrap you would remove the script that makes them from the eap.conf and then thats done. even better, you dont use the boostrap script at all and instead install a proper CA, server.crt file etc the boostrap is really only there to get a test server up and running quickly - you wouldnt want a snakeoil and very low timescale certificate to be used in production :-) alan
On Wed, Oct 14, 2009 at 07:07:59PM +0100, Alan Buxey wrote:
Hi,
Hello Alan, thanks for the response.
I have a question regarding bootstrapping default certificates using bootstrap script in raddb/certs directory.
Ideally once you've used the bootstrap you would remove the script that makes them from the eap.conf and then thats done.
even better, you dont use the boostrap script at all and instead install a proper CA, server.crt file etc
the boostrap is really only there to get a test server up and running quickly - you wouldnt want a snakeoil and very low timescale certificate to be used in production :-)
I completely agree with you. However, there is still an issue that bootstrap script does IMHO something different than what is described in the README. To be more specific: I work on packaging freeradius server RPM. The README explictly states that "This bootstrap script SHOULD be run on installation of any pre-built binary package for your OS." I understand that it should be ran automatically in the %post section, like in the suse spec file included in the tarball. This leads to two problems: - if the user runs bootstrap script manually after installation, the certificates get corrupted - if the user performs upgrade of the package, the certificates get corrupted - this is worse than the first problem, since the user might already have his 'production' certificates installed. So I suggest either to 1) do not recommend running the bootstrap script automatically and force the user to run it manually or 2) fix the bootstrap script and/or Makefile to do nothing if the required files already exist. -- Best regards / s pozdravem Petr Uzel, openSUSE Boosters Team ----------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: puzel@suse.cz Lihovarská 1060/12 http://www.suse.cz 190 00 Prague 9, CR
Petr Uzel wrote:
To be more specific: I work on packaging freeradius server RPM. The README explictly states that "This bootstrap script SHOULD be run on installation of any pre-built binary package for your OS." I understand that it should be ran automatically in the %post section, like in the suse spec file included in the tarball. This leads to two problems: - if the user runs bootstrap script manually after installation, the certificates get corrupted
Yes. Re-generating the certs causes them to be regenerated.
- if the user performs upgrade of the package, the certificates get corrupted - this is worse than the first problem, since the user might already have his 'production' certificates installed.
So don't regenerate them...
So I suggest either to 1) do not recommend running the bootstrap script automatically and force the user to run it manually or 2) fix the bootstrap script and/or Makefile to do nothing if the required files already exist.
That's already in the "makefile". I suggest a patch to the bootstrap script. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Petr Uzel