Issue with 3.0.13 upgrade on Debian

Martin Pauly pauly at hrz.uni-marburg.de
Fri Mar 10 13:43:35 CET 2017


On 08.03.2017 12:08, Antoine JOUBERT wrote:
> 've encountered an issue while trying to upgrade one of my freeradius servers from 3.0.12 to 3.0.13.
>
> I've done the following to reproduce the issue. I've installed freeradius 3.0.12 on a new server from compiled debian packages :

We encountered the same issue and tried around a bit.
The problem seems to be with the postinst script of freeradius-config, or rather /etc/freeradius/certs/Makefile
If there is already some config (as naturally is the case with an upgrade), teh postinst fails right in the middle (see below).
Since it is bound to exit on any error, the part creating the symlinks in sites-enabled and mods-enabled is never called.

A bit suprising to me, I had similar effects on a machine where I had purged all freeradius packages, but created
/etc/freeradius/certs manually with some files the FR install should never touch (my secrets, acutally, for later $INCLUDE).

So here is where I suspect things to fail:

------------------ snippets of postinst of freeradius-config -------------------
set -e
[...]

           # Create snakoil certificates on initial install
           make -C /etc/freeradius/certs/

[symlinks to enable sites and mods are supposed to be created here]

----------------------------------------------------------------------------------



Here's a snippet from yesterday's /var/log/apt/term.log:
------------------------------------------- BEGIN --------------------------------------------
Setting up freeradius-config (3.0.13+git) ...
make: Entering directory '/etc/freeradius/certs'
openssl dhparam -out dh -2 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....+.....................+..................................................................................................................................
...............................+...............................................................+........+.....................................................
..............................................................................................................................................................
...........+...........................................+.............+........................................................................................
...................+..........................................................................................................................................
...........................................................+.................................................................................................+
..............................................+.......++*++*
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
.+++
..........................................................+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
         -days '60' -config ./ca.cnf
Generating a 2048 bit RSA private key
..........................................+++
.....+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server
.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
         Serial Number: 3 (0x3)
         Validity
             Not Before: Mar  9 16:24:07 2017 GMT
             Not After : May  8 16:24:07 2017 GMT
         Subject:
             countryName               = FR
             stateOrProvinceName       = Radius
             organizationName          = Example Inc.
             commonName                = Example Server Certificate
             emailAddress              = admin at example.org
         X509v3 extensions:
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication
             X509v3 CRL Distribution Points:

                 Full Name:
                   URI:http://www.example.com/example_ca.crl

Certificate is to be certified until May  8 16:24:07 2017 GMT (60 days)
failed to update database
TXT_DB error number 2
Makefile:78: recipe for target 'server.crt' failed
make: *** [server.crt] Error 1
make: Leaving directory '/etc/freeradius/certs'
dpkg: error processing package freeradius-config (--configure):
  subprocess installed post-installation script returned error exit status 2
------------------------------------------- END  --------------------------------------------

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5208 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170310/ef2093ec/attachment.bin>


More information about the Freeradius-Users mailing list