Problems with bootstrapping certificates

Petr Uzel petr.uzel at suse.cz
Thu Oct 15 10:16:48 CEST 2009


On Wed, Oct 14, 2009 at 07:07:59PM +0100, Alan Buxey wrote:
> Hi,

Hello Alan,
thanks for the response.

> 
> > I have a question regarding bootstrapping default certificates using
> > bootstrap script in raddb/certs directory.
> 
> Ideally once you've used the bootstrap you would remove the script that
> makes them from the eap.conf and then thats done.
> 
> even better, you dont use the boostrap script at all and instead install
> a proper CA, server.crt file etc 
> 
> the boostrap is really only there to get a test server up and running
> quickly - you wouldnt want a snakeoil and very low timescale certificate
> to be used in production :-)

I completely agree with you. However, there is still an issue that
bootstrap script does IMHO something different than what is described
in the README.


To be more specific: I work on packaging freeradius server RPM. The
README explictly states that "This bootstrap script SHOULD be run on
installation of any pre-built binary package for your OS." I
understand that it should be ran automatically in the %post section,
like in the suse spec file included in the tarball. This leads to two
problems:
- if the user runs bootstrap script manually after installation, the
  certificates get corrupted
- if the user performs upgrade of the package, the certificates get
  corrupted - this is worse than the first problem, since the user
  might already have his 'production' certificates installed.

So I suggest either to
1) do not recommend running the bootstrap script automatically and
force the user to run it manually
or
2) fix the bootstrap script and/or Makefile to do nothing if
the required files already exist.



-- 
Best regards / s pozdravem

Petr Uzel, openSUSE Boosters Team
-----------------------------------------------------------------
SUSE LINUX, s.r.o.                          e-mail: puzel at suse.cz
Lihovarská 1060/12                          http://www.suse.cz
190 00 Prague 9, CR                             
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/0d331e57/attachment.pgp>


More information about the Freeradius-Users mailing list