+++ This bug was initially created as a clone of Bug #1672284 +++
Description of problem:
FreeRADIUS currently generates a self-signed CA certificate as well as subordinate certificates and some passwords while installing the freeradius package. This is against the Fedora Packaging Guidelines for several good reasons:
1) If freeradius is installed via kickstart, the certificates may be generated at a time when entropy on the system is insufficient, resulting in either a failed installation (scriptlet returns non-zero) or a less-secure certificate.
2) The package cannot easily be built as part of an image (such as a container or ostree image) because the package installation occurs on the builder machine, not the target machine and thus all instances of it that are spawned from the image will have the same certificate information.
3) It makes it difficult for an end-user to generate a common VM in their environment. They can remove the certificates manually, but there's no simple way to regenerate them on the cloned children. The user must know how to do this themselves, manually.
Fedora packaging guidelines now mandate that the behavior here should be that this certificate generation does not occur in an RPM scriptlet, but that it instead takes place as part of a systemd unit that is launched prior to (and blocks the start of) the main service unit for the package. Specific details on how to accomplish this are provided on the guidelines page. I am also available to help with the implementation if needed.
Moving the auto-generation from the scriptlet to the systemd unit addresses all three of the issues mentioned above.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install the `freeradius` package in Fedora/RHEL 8
2. Check the contents of /etc/raddb/certs
ca.pem, server.crt and many other certificates are present.
The certificates should not be present until the first time the service is launched.
 Fedora Packaging Guidelines:
*** Bug 1857230 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: freeradius:3.0 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
It came to my attention recently that some customers don't like this behavior.
To avoid this, use a systemd override file (execute `sudo systemctl edit radiusd.service` to create one) with the contents:
to disable certificate generation at service startup.
This can be tested with `sudo systemctl restart radiusd.service`.
Please refer to the systemd docs for more information about unit file overrides.
I do not recommend editing the original systemd unit file we ship with FreeRADIUS RPM in RHEL as it is package configuration and subject to change in a future release.