SSL certificate problems

Walter Gould gouldwp at auburn.edu
Fri Oct 26 22:23:43 CEST 2007 

Alan DeKok wrote:
> Walter Gould wrote:
>   
>> I am following the document "FreeRADIUS Active Directory Integration
>> HOWTO" from the freeradius Wiki.  I am having problems with  creating
>> SSL certificates.  When I follow the instructions at the bottom of this
>> doc and run the CA.all script, I see the following errors:
>>     
>
>   Ugh.
>
>   Download CVS head (see the web page for CVS instructions).
>
> $ cd raddb/certs
> $ vi *.cnf		ca.cnf, server.cnf to set your local parameters
> $ ./bootstrap
>
>   And you will have certificates than can be used in 1.1.x.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
Alan,

Thanks for your help.  I did what you suggested and then copied the 
certs that were created to my /etc/raddb/certs directory.  Also, I 
edited eap.conf to match the new private key password and the newly 
created certificate names.  I now try to run radiusd in debug mode and 
it dies.  I have checked file/directory permissions on the certs 
directory and they look ok to me - of course I know that doesn't mean 
much...

Below is the debug.  Please let me know if you need anything else...

Thanks again,
Walter

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/server.pem"
 tls: certificate_file = "/etc/raddb/certs/server.pem"
 tls: CA_file = "/etc/raddb/certs/ca.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "DEFAULT"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1947] Unknown module "eap".
radiusd.conf[1894] Failed to parse authenticate section.

More information about the Freeradius-Users mailing list