FreeRadius Ceritificate Migration

John Dennis jdennis at redhat.com
Tue May 14 23:53:55 CEST 2013 

Thank you for including the full debug. Here is the section from the 
rlm_eap_tls initialization.

> Module: Instantiating eap-tls
>    tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> CA_path = "/usr/local/etc/raddb/certs/roots"
> pem_file_type = yes
> private_key_file = "/usr/local/etc/raddb/certs/servercert.pem"
> certificate_file = "/usr/local/etc/raddb/certs/servercert.pem"
> private_key_password = "********"
> dh_file = "/usr/local/etc/raddb/certs/dh"
> random_file = "/usr/local/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
> ecdh_curve = "prime256v1"
>     cache {
> enable = no
> lifetime = 24
> max_entries = 255
>     }
>     verify {
>     }
>     ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
>     }
>    }

A couple of things immediately jump out at me. This is not the default 
configuration. First of all there is no CA_file configured (only 
CA_path). You must have commented that out or deleted it. That means you 
can't use a bundled CA file. Secondly the CA_path is not the default 
either, you've got /usr/local/etc/raddb/certs/roots. Does that directory 
exist? But more importantly can radiusd execute the directory and read 
it's contents? These are file/directory permission issues. In 
radiusd.conf are user and group variables, these are the user and group 
respectively that radiusd runs as *after* it initializes. I'm not sure 
if OpenSSL reads the CA files before or after radiusd drops privileges 
from root to the user/group specified in radiusd.conf. But at the time 
OpenSSL reads the files it has to have permission to traverse into the 
directory (execute permission) and have read permission on the files to 
read their contents.

If you're not sure if radiusd is reading the CA files or not it's easy 
to verify by running radiusd under strace (hint: use -o to direct the 
output to a file and then search for your CA_path) you should see the 
directory being opened and files being read. If there are permission 
problems you'll see error information in the strace output.

HTH,

John



-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list