Bug 2069224

Summary: FreeRADIUS does not create certificates in FIPS mode (bootstrap script)
Product: Red Hat Enterprise Linux 9 Reporter: Filip Dvorak <fdvorak>
Component: freeradiusAssignee: Antonio Torres <antorres>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.0CC: fdvorak, nikolai.kondrashov
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeradius-3.0.21-29.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 10:19:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Filip Dvorak 2022-03-28 13:46:16 UTC 
Description of problem:
After the installation of FreeRADIUS it is necessary to create certificates to run radiusd service. It is possible to use bootstrap script (/etc/raddb/certs/boostrap) or use some own certificates. In RHEL9 (FIPS) it is not possible to use this script because the rules for creating certificates are more strict. For example, we could add the option "-nodes" into openssl commands.

Version-Release number of selected component (if applicable):
freeradius-3.0.21-26.el9.x86_64

How reproducible:


Steps to Reproduce:
1. install FreeRadius
2. run bootstrap script

Actual results:

# ./bootstrap 
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
.....+...+...+.+...+........+.........+.............+..+.+...+...........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+...+...+......+......+...+.......+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+......+...+.+...+...+..............+..........+...+......+.........+......+..+...+................+...........+...+....+..+...+.............+...+..+..........+..+.+......+.....+...+.......+........................+......+......+..+...+..........+.........+.........+..+...+....+..+....+......+...........+.............+.....+......+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

003C2FEA187F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (DES-EDE3-CBC : 27), Properties (<null>)
003C2FEA187F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (DES-EDE3-CBC : 27), Properties (<null>)
003C2FEA187F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (DES-EDE3-CBC : 27), Properties (<null>)
003C2FEA187F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (DES-EDE3-CBC : 27), Properties (<null>)
)
make: *** [Makefile:91: server.csr] Error 1


Expected results:
The script should create certificates that are needed for the running of FreeRADIUS

Additional info:
Comment 13 errata-xmlrpc 2022-11-15 10:19:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8089