Problems with bootstrapping certificates

Petr Uzel petr.uzel at suse.cz
Wed Oct 14 17:46:38 CEST 2009 

Hi list,

I have a question regarding bootstrapping default certificates using
bootstrap script in raddb/certs directory.

From the README:
------
$ radiusd -X

  That will cause the EAP-TLS module to run the "bootstrap" script in
  this directory.  The script will be executed only once, the first time
  the server has been installed on a particular machine.  This bootstrap
  script SHOULD be run on installation of any pre-built binary package
  for your OS.  In any case, the script will ensure that it is not run 
  twice, and that it does not over-write any existing certificates.
------

If I understand that right, it means that when I run the script twice,
then generated certificates should not be changed (provided the *.cnf files
did not change.

But I observe something different:

=======> cd raddb/certs/
=======> ./bootstrap
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
<SNIP>
MAC verified OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der

Everything OK so far

=======> touch *.cnf
=======> ./bootstrap
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
<SNIP>
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
		-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
<SNIP>
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Oct 14 15:10:57 2009 GMT
            Not After : Oct 14 15:10:57 2010 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = Example Server Certificate
            emailAddress              = admin at example.com
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
Certificate is to be certified until Oct 14 15:10:57 2010 GMT (365 days)
failed to update database
TXT_DB error number 2
make: *** [server.crt] Error 1
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
<SNIP>
Generating a 2048 bit RSA private key
................................................+++
.....+++
writing new private key to 'server.key'
-----
Generating a 2048 bit RSA private key
.............................................................+++
.........................+++
writing new private key to 'ca.key'
-----
Generating a 2048 bit RSA private key
........................+++
...............+++
writing new private key to 'ca.key'
-----
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
ERROR:Serial number 01 has already been issued,
      check the database/serial_file for corruption
The matching entry has the following details
Type	  :Valid
Expires on    :101014151025Z
Serial Number :01
File name     :unknown
Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin at example.com



Please notice that generating server.crt failed with "TXT_DB error number 2".
Thus after issuing the ./bootstrap command for the second time, the server.crt
file is empty.

If I change unique_subject=yes to unique_subject=no in index.txt.attr before
issuing second ./bootstrap, then the script finishes without errors, but I'm
not sure the resulting files are correct.

I have to admit that my knowledge of openssl is very limited,
but as far as I understand that, this behavior is a bug,
or at least it does not conform to the documentation.

I would expect that the bootstrap/Makefile would simply do nothing if
the required certificates are already present, no matter what are the
timestamps of *.cnf files.


The testing was done with current git master branch.



-- 
Best regards / s pozdravem

Petr Uzel, openSUSE Boosters Team
-----------------------------------------------------------------
SUSE LINUX, s.r.o.                          e-mail: puzel at suse.cz
Lihovarská 1060/12                          http://www.suse.cz
190 00 Prague 9, CR                             
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091014/ac57ee11/attachment.pgp>

More information about the Freeradius-Users mailing list