Bug 1954521

Summary: Freeradius should not generate default certificates and run boostrap script during every start
Product: Red Hat Enterprise Linux 8 Reporter: Filip Dvorak <fdvorak>
Component: freeradiusAssignee: Antonio Torres <antorres>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: medium Docs Contact: lmcgarry
Priority: unspecified    
Version: 8.5CC: antorres, fdvorak, h.b.furuseth, nikolai.kondrashov
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeradius-3.0.20-9.module+el8.5.0+12103+998f1584 Doc Type: Bug Fix
Doc Text:
.FreeRADIUS no longer incorrectly generating default certificates when the bootstrap script is run A bootstrap script runs each time FreeRADIUS is started. Previously, this script generated new testing certificates in the `/etc/raddb/certs` directory and as a result, the FreeRADIUS server sometimes failed to start as these testing certificates were invalid. For example, the certificates might have expired. With this update, the bootstrap script checks the `/etc/raddb/certs` directory and if it contains any testing or customer certificates, the script is not run and the FreeRADIUS server should start correctly. Note that the testing certificates are only for testing purposes during the configuration of FreeRADIUS and should not be used in a real environment. The bootstrap script should be deleted once the users' certificates are used.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Filip Dvorak 2021-04-28 10:28:01 UTC 
Description of problem:
We changed the generation of the default certificate for FR because of this bug[1]. Now the generation of the default certificates is during systemd start radiusd. The problem is that bootstrap script is run during every start and it verifies these default certificates. When these certificates expire after 60days (for example user uses their own certificates but did not delete def. certificates in /etc/raddb/certs) the FR fails to start. This issue has affected the upgrade of FR as well - https://access.redhat.com/solutions/5767041

The possible solution:
- run bootstrap script only once and not during every systemd start (it could be a little bit tricky because bootstrap script is mentioned in the unit file)
- modify the bootstrap script
      - bootstrap script should stay in unit file, run during the start of FR
      - if there are one or more def. certificates (valid, invalid, expired) in /etc/raddb/certs, bootstrap should not generate/replace/remove/verify any of them
      - bootstrap script should generate all default certificates and dh if there are not any existing def. certificates in /etc/radd/certs
      - bootstrap script should verify def. certificates ONLY during generating of these certs 
 
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1672285

Version-Release number of selected component (if applicable):
freeradius-3.0.20-3
RHEL8.4


Steps to Reproduce:
1. systemctl start radiusd
2. wait for 60 days or change date on the system
cd /etc/raddb/certs
openssl x509 -in server.pem -noout -text | grep -e{Before,After}
date -s 'Jun 28 10:12:09 2021 GMT'

3. systemctl start radiusd

Actual results:
...
- Unit radiusd.service has begun starting up.
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin, CN = Example Certificate Authority
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: error 10 at 1 depth lookup: certificate has expired
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: error 10 at 0 depth lookup: certificate has expired
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: error server.pem: verification failed
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: make: *** [Makefile:107: server.vrfy] Error 2
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com systemd[1]: radiusd.service: Control process exited, code=exited status=2
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com systemd[1]: radiusd.service: Failed with result 'exit-code'.
...

Expected results:
I am inclined to the first solution but the second is fine as well. In every case, the radiusd should be run smoothly. 

Additional info:
Comment 3 Hallvard B Furuseth 2021-07-02 05:27:18 UTC 
The /etc/raddb/certs/bootstrap script itself recommends solution#1:

# (...) Once the certificates have been created, this file should be deleted.
# Ideally, this program should be run as part of the installation of any
# binary package. (...)
Comment 22 errata-xmlrpc 2021-11-09 18:51:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4317