Bug 1705165 - Freeradius bootstrap script overwrites certs
Summary: Freeradius bootstrap script overwrites certs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeradius
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Alex Scheel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-01 16:52 UTC by Rafael Leiva-Ochoa
Modified: 2019-08-13 01:58 UTC (History)
3 users (show)

Fixed In Version: freeradius-3.0.19-3.fc30 freeradius-3.0.19-3.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-19 22:44:55 UTC


Attachments (Terms of Use)

Description Rafael Leiva-Ochoa 2019-05-01 16:52:58 UTC
Description of problem: Bootstrap" script overwriting current certs in the /etc/raddb/certs/ directory


Version-Release number of selected component (if applicable): freeradius-3.0.19-1.fc28.armv7hl


How reproducible: Restart freeradius using systemctl restart radiusd


Steps to Reproduce:
1. Upgrade to the current version of freeradius
2. systemctl restart radiusd

Actual results: The current server.crt gets overwriten, and the freeradius daemon outputs the following errors:

Apr 29 22:01:29 freeradius systemd[1]: Starting FreeRADIUS high performance
RADIUS server....
Apr 29 22:01:30 freeradius sh[1970]: make: *** No rule to make target
'server.cnf', needed by 'passwords.mk'. Stop.
Apr 29 22:01:30 freeradius systemd[1]: radiusd.service: Control process
exited, code=exited status=2
Apr 29 22:01:30 freeradius systemd[1]: radiusd.service: Failed with result
'exit-code'.
Apr 29 22:01:30 freeradius systemd[1]: Failed to start FreeRADIUS high
performance RADIUS server..
Apr 29 22:01:30 freeradius audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=radiusd comm="systemd
" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=failed'



Expected results: For the service to restart normally without it creating a new cert.


Additional info:

Here is what I have on my /usr/lib/systemd/system/radiusd.service script
for systemd

[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target
krb5kdc.service

[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
#ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/bin/chgrp -R radiusd /etc/raddb/certs/
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

I was about to fix the problem by commenting out the "ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap"

Comment 1 Alex Scheel 2019-05-01 17:00:50 UTC
Yuck, but good to hear. This was an initial attempt at solving this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1672284 

It looks like the upstream scripts are not sufficient. One of the issues we have is that the upstream scripts do rotation as well (what you're seeing); we merely want to create new scripts if not otherwise present.

Comment 2 Rafael Leiva-Ochoa 2019-05-01 17:19:27 UTC
I was hoping that there would be more error correction in the scripts to catch this problem. I would recommend creating new scripts and remove the script call from the radiusd.service. I think this should be optional for the user to do on his own.

Comment 3 Alex Scheel 2019-05-01 17:33:26 UTC
Yeah, looking at the upstream scripts, they weren't really made for this and they don't have to adhere to Fedora packaging guidelines. 

I'll create a separate wrapper and push that out in a day or so. But yes, please edit the unit file for now. I'll update this with Bodhi updates when that is done. 



Thanks!

Comment 4 Ben Cotton 2019-05-02 19:23:06 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Alex Scheel 2019-05-03 14:30:27 UTC
Bumping version...

Comment 6 Fedora Update System 2019-05-09 19:40:47 UTC
freeradius-3.0.19-3.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e

Comment 7 Fedora Update System 2019-05-09 19:40:54 UTC
freeradius-3.0.19-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2

Comment 8 Fedora Update System 2019-05-09 19:41:02 UTC
freeradius-3.0.19-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c

Comment 9 Alex Scheel 2019-05-09 19:42:26 UTC
This bug has been affected by recent package builds:

freeradius-3.0.19-3 -- rawhide
https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e -- f30
https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2 -- f29
https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c -- f28

Please try it out and give Karma as appropriate. Thanks!

Comment 10 Fedora Update System 2019-05-10 02:06:23 UTC
freeradius-3.0.19-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e

Comment 11 Fedora Update System 2019-05-10 02:46:37 UTC
freeradius-3.0.19-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c

Comment 12 Fedora Update System 2019-05-10 03:45:45 UTC
freeradius-3.0.19-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2

Comment 13 Fedora Update System 2019-06-19 22:44:55 UTC
freeradius-3.0.19-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-08-13 01:58:58 UTC
freeradius-3.0.19-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.