Problems with bootstrapping certificates
Petr Uzel
petr.uzel at suse.cz
Thu Oct 15 10:16:48 CEST 2009
On Wed, Oct 14, 2009 at 07:07:59PM +0100, Alan Buxey wrote:
> Hi,
Hello Alan,
thanks for the response.
>
> > I have a question regarding bootstrapping default certificates using
> > bootstrap script in raddb/certs directory.
>
> Ideally once you've used the bootstrap you would remove the script that
> makes them from the eap.conf and then thats done.
>
> even better, you dont use the boostrap script at all and instead install
> a proper CA, server.crt file etc
>
> the boostrap is really only there to get a test server up and running
> quickly - you wouldnt want a snakeoil and very low timescale certificate
> to be used in production :-)
I completely agree with you. However, there is still an issue that
bootstrap script does IMHO something different than what is described
in the README.
To be more specific: I work on packaging freeradius server RPM. The
README explictly states that "This bootstrap script SHOULD be run on
installation of any pre-built binary package for your OS." I
understand that it should be ran automatically in the %post section,
like in the suse spec file included in the tarball. This leads to two
problems:
- if the user runs bootstrap script manually after installation, the
certificates get corrupted
- if the user performs upgrade of the package, the certificates get
corrupted - this is worse than the first problem, since the user
might already have his 'production' certificates installed.
So I suggest either to
1) do not recommend running the bootstrap script automatically and
force the user to run it manually
or
2) fix the bootstrap script and/or Makefile to do nothing if
the required files already exist.
--
Best regards / s pozdravem
Petr Uzel, openSUSE Boosters Team
-----------------------------------------------------------------
SUSE LINUX, s.r.o. e-mail: puzel at suse.cz
Lihovarská 1060/12 http://www.suse.cz
190 00 Prague 9, CR
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/0d331e57/attachment.pgp>
More information about the Freeradius-Users
mailing list