strange behavior when EAP is enabled?
Coy Hile
coy.hile at coyhile.com
Fri Dec 20 22:22:31 CET 2019
> On Dec 20, 2019, at 4:00 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Dec 20, 2019, at 3:56 PM, Coy Hile <coy.hile at coyhile.com> wrote:
>>
>> I’ve seen a strange one… I’ve created the test certs, etc, that enable the EAP configuration to work. Running radiusd -X, one sees (in relevant part):
>> ...
>> However, if I try to start radiusd as normal (not via -X), I end up with this behavior in the logs:
>>
>> Fri Dec 20 20:46:38 2019 : Error: tls: Failed reading certificate file "/opt/local/etc/raddb/certs/server.pem": error:0906D06C:PEM routines:PEM_read_bio:no start line
>
> That's probably file permissions. OpenSSL is notorious for terrible error messages,
>
>> Clearly, I can disable EAP (as I don’t use it at the moment) and get things working; however, I’m trying to disable as little of the default configs as possible. Is there something different in the code path when debugging is enabled vs not that is making OpenSSL libraries do something weird?
>
> If you're running "radiusd -X" as root, and daemon mode as user radiusd, then the issue is likely file permissions.
>
My initial thought as well; however, even running as user radiusd, I see the same behavior; starts fine in debug mode, and bails with the cited error. Interestingly, if I run radiusd -f as root, I see the same behavior in the logs and a failure to start.
Permissions _should_ be fine:
[root at b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb]# ls -ld . certs
drwxr-xr-x 9 root root 21 Dec 20 20:07 .
drwxr-x--- 2 radiusd radiusd 35 Dec 20 20:45 certs
[root at b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb]#
root at b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb/certs]# ls -l server.pem
-rw-r----- 1 radiusd radiusd 3659 Dec 20 19:59 server.pem
[root at b4eaa42c-a960-e926-9f73-dd4aa748f865 /opt/local/etc/raddb/certs]#
The file is readable by user ‘radiusd’
Hence my confusion.
Clearly the passphrase in the EAP config (‘whatever’) works, else it would fail in debug mode
--
Coy Hile
coy.hile at coyhile.com
More information about the Freeradius-Users
mailing list