SSL certificate problems
Walter Gould
gouldwp at auburn.edu
Sat Oct 27 00:12:11 CEST 2007
Walter Gould wrote:
> Alan DeKok wrote:
>> Walter Gould wrote:
>>
>>> I am following the document "FreeRADIUS Active Directory Integration
>>> HOWTO" from the freeradius Wiki. I am having problems with creating
>>> SSL certificates. When I follow the instructions at the bottom of this
>>> doc and run the CA.all script, I see the following errors:
>>>
>>
>> Ugh.
>>
>> Download CVS head (see the web page for CVS instructions).
>>
>> $ cd raddb/certs
>> $ vi *.cnf ca.cnf, server.cnf to set your local parameters
>> $ ./bootstrap
>>
>> And you will have certificates than can be used in 1.1.x.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> Alan,
>
> Thanks for your help. I did what you suggested and then copied the
> certs that were created to my /etc/raddb/certs directory. Also, I
> edited eap.conf to match the new private key password and the newly
> created certificate names. I now try to run radiusd in debug mode and
> it dies. I have checked file/directory permissions on the certs
> directory and they look ok to me - of course I know that doesn't mean
> much...
>
> Below is the debug. Please let me know if you need anything else...
>
> Thanks again,
> Walter
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/raddb/proxy.conf
> Config: including file: /etc/raddb/clients.conf
> Config: including file: /etc/raddb/snmp.conf
> Config: including file: /etc/raddb/eap.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: snmp = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "radiusd"
> main: group = "radiusd"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = yes
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> Module: Instantiated mschap (mschap)
> Module: Loaded eap
> eap: default_eap_type = "peap"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/etc/raddb/certs/server.pem"
> tls: certificate_file = "/etc/raddb/certs/server.pem"
> tls: CA_file = "/etc/raddb/certs/ca.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/etc/raddb/certs/dh"
> tls: random_file = "/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> tls: cipher_list = "DEFAULT"
> tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
> rlm_eap_tls: Error reading certificate file
> rlm_eap: Failed to initialize type tls
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1947] Unknown module "eap".
> radiusd.conf[1894] Failed to parse authenticate section.
>
>
>
Alan & list,
Ignore my previous e-mail. It was indeed a permissions problem.
Thanks again,
Walter
--
Walter P. Gould
Info. Tech. Specialist
Office of Information Technology
Auburn University, AL
gouldwp at auburn.edu
www.auburn.edu/~gouldwp
334-844-9327
More information about the Freeradius-Users
mailing list