Description of problem: Bootstrap" script overwriting current certs in the /etc/raddb/certs/ directory Version-Release number of selected component (if applicable): freeradius-3.0.19-1.fc28.armv7hl How reproducible: Restart freeradius using systemctl restart radiusd Steps to Reproduce: 1. Upgrade to the current version of freeradius 2. systemctl restart radiusd Actual results: The current server.crt gets overwriten, and the freeradius daemon outputs the following errors: Apr 29 22:01:29 freeradius systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Apr 29 22:01:30 freeradius sh[1970]: make: *** No rule to make target 'server.cnf', needed by 'passwords.mk'. Stop. Apr 29 22:01:30 freeradius systemd[1]: radiusd.service: Control process exited, code=exited status=2 Apr 29 22:01:30 freeradius systemd[1]: radiusd.service: Failed with result 'exit-code'. Apr 29 22:01:30 freeradius systemd[1]: Failed to start FreeRADIUS high performance RADIUS server.. Apr 29 22:01:30 freeradius audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=radiusd comm="systemd " exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Expected results: For the service to restart normally without it creating a new cert. Additional info: Here is what I have on my /usr/lib/systemd/system/radiusd.service script for systemd [Unit] Description=FreeRADIUS high performance RADIUS server. After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service [Service] Type=forking PIDFile=/var/run/radiusd/radiusd.pid ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd #ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap ExecStartPre=/bin/chgrp -R radiusd /etc/raddb/certs/ ExecStartPre=/usr/sbin/radiusd -C ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecReload=/usr/sbin/radiusd -C ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target I was about to fix the problem by commenting out the "ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap"
Yuck, but good to hear. This was an initial attempt at solving this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1672284 It looks like the upstream scripts are not sufficient. One of the issues we have is that the upstream scripts do rotation as well (what you're seeing); we merely want to create new scripts if not otherwise present.
I was hoping that there would be more error correction in the scripts to catch this problem. I would recommend creating new scripts and remove the script call from the radiusd.service. I think this should be optional for the user to do on his own.
Yeah, looking at the upstream scripts, they weren't really made for this and they don't have to adhere to Fedora packaging guidelines. I'll create a separate wrapper and push that out in a day or so. But yes, please edit the unit file for now. I'll update this with Bodhi updates when that is done. Thanks!
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Bumping version...
freeradius-3.0.19-3.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e
freeradius-3.0.19-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2
freeradius-3.0.19-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c
This bug has been affected by recent package builds: freeradius-3.0.19-3 -- rawhide https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e -- f30 https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2 -- f29 https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c -- f28 Please try it out and give Karma as appropriate. Thanks!
freeradius-3.0.19-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4a8eeaf80e
freeradius-3.0.19-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9b58ccab2c
freeradius-3.0.19-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9454ce61b2
freeradius-3.0.19-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
freeradius-3.0.19-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.