Description of problem:
During its postinstall scripts freeradius generates keys in /etc/raddb/certs.
# rpm -q freeradius --scripts
if [ $1 -eq 1 ]; then # install
# Initial installation
if [ ! -e /etc/raddb/certs/server.pem ]; then
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params:
# cat /etc/raddb/certs/bootstrap
if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
ln -sf /dev/urandom random
In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them:
# ls /etc/raddb/certs/
bootstrap ca.cnf client.cnf dh inner-server.cnf Makefile passwords.mk README server.cnf xpextensions
# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
# cat /var/log/radius/radius.log
Wed Jul 22 06:33:26 2020 : Info: Debugger not attached
Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap: Failed parsing configuration item "private_key_file"
Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context
Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap: Instantiation failed for module "eap"
Version-Release number of selected component (if applicable):
100% in FIPS mode
Steps to Reproduce:
1. Make sure freeradius is not installed and /etc/raddb does not exist.
2. Enable FIPS mode.
2. Install freeradius.
3. Inspect /etc/raddb/certs and start radiusd.
No keys are created and service fails to start.
Keys for CA, server and client are created and services starts.
1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it.
2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.
*** This bug has been marked as a duplicate of bug 1857230 ***
Per discussion with Ondrej on IRC, this isn't a duplicate. Clarifying subject.
Still looking for qa_ack+ so we can attach it to the errata.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: freeradius:3.0 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.