Re: FreeRadius Ceritificate Migration
Thank you for including the full debug. Here is the section from the rlm_eap_tls initialization.
Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs/roots" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/servercert.pem" certificate_file = "/usr/local/etc/raddb/certs/servercert.pem" private_key_password = "********" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } }
A couple of things immediately jump out at me. This is not the default configuration. First of all there is no CA_file configured (only CA_path). You must have commented that out or deleted it. That means you can't use a bundled CA file. Secondly the CA_path is not the default either, you've got /usr/local/etc/raddb/certs/roots. Does that directory exist? But more importantly can radiusd execute the directory and read it's contents? These are file/directory permission issues. In radiusd.conf are user and group variables, these are the user and group respectively that radiusd runs as *after* it initializes. I'm not sure if OpenSSL reads the CA files before or after radiusd drops privileges from root to the user/group specified in radiusd.conf. But at the time OpenSSL reads the files it has to have permission to traverse into the directory (execute permission) and have read permission on the files to read their contents. If you're not sure if radiusd is reading the CA files or not it's easy to verify by running radiusd under strace (hint: use -o to direct the output to a file and then search for your CA_path) you should see the directory being opened and files being read. If there are permission problems you'll see error information in the strace output. HTH, John -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (2)
-
John Dennis -
Mitch Yackobeck