Bug 1672284 - FreeRADIUS should not generate certificates at package installation
Summary: FreeRADIUS should not generate certificates at package installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeradius
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Alex Scheel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1574783
Blocks: 1672285
TreeView+ depends on / blocked
 
Reported: 2019-02-04 13:11 UTC by Stephen Gallagher
Modified: 2019-08-13 01:58 UTC (History)
3 users (show)

Fixed In Version: freeradius-3.0.19-3.fc30 freeradius-3.0.19-3.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1672285 (view as bug list)
Environment:
Last Closed: 2019-06-19 22:44:48 UTC


Attachments (Terms of Use)

Description Stephen Gallagher 2019-02-04 13:11:39 UTC
Description of problem:
FreeRADIUS currently generates a self-signed CA certificate as well as subordinate certificates and some passwords while installing the freeradius package. This is against the Fedora Packaging Guidelines[1] for several good reasons:

1) If freeradius is installed via kickstart, the certificates may be generated at a time when entropy on the system is insufficient, resulting in either a failed installation (scriptlet returns non-zero) or a less-secure certificate.

2) The package cannot easily be built as part of an image (such as a container or ostree image) because the package installation occurs on the builder machine, not the target machine and thus all instances of it that are spawned from the image will have the same certificate information.

3) It makes it difficult for an end-user to generate a common VM in their environment. They can remove the certificates manually, but there's no simple way to regenerate them on the cloned children. The user must know how to do this themselves, manually.

Fedora packaging guidelines[1] now mandate that the behavior here should be that this certificate generation does not occur in an RPM scriptlet, but that it instead takes place as part of a systemd unit that is launched prior to (and blocks the start of) the main service unit for the package. Specific details on how to accomplish this are provided on the guidelines page. I am also available to help with the implementation if needed.

Moving the auto-generation from the scriptlet to the systemd unit addresses all three of the issues mentioned above.



Version-Release number of selected component (if applicable):

freeradius-3.0.17-4.fc30


How reproducible:
Every time

Steps to Reproduce:
1. Install the `freeradius` package in Fedora
2. Check the contents of /etc/raddb/certs


Actual results:
ca.pem, server.crt and many other certificates are present.

Expected results:
The certificates should not be present until the first time the service is launched.


Additional info:

[1] Fedora Packaging Guidelines:
https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup

Comment 1 Alex Scheel 2019-02-04 15:58:57 UTC
A work around for anyone stumbling into this issue:


- Remove any generated certificates in /etc/raddb/certs
- Run /etc/raddb/certs/bootstrap


/etc/raddb/certs/README contains further instructions.

Comment 2 Fedora Update System 2019-05-09 19:40:42 UTC
freeradius-3.0.19-3.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e

Comment 3 Fedora Update System 2019-05-09 19:40:51 UTC
freeradius-3.0.19-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2

Comment 4 Fedora Update System 2019-05-09 19:40:58 UTC
freeradius-3.0.19-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c

Comment 5 Fedora Update System 2019-05-10 02:06:20 UTC
freeradius-3.0.19-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e

Comment 6 Fedora Update System 2019-05-10 02:46:33 UTC
freeradius-3.0.19-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c

Comment 7 Fedora Update System 2019-05-10 03:45:42 UTC
freeradius-3.0.19-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2

Comment 8 Fedora Update System 2019-06-19 22:44:48 UTC
freeradius-3.0.19-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-08-13 01:58:53 UTC
freeradius-3.0.19-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.