Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1905888

Summary: After updated freeradius, Can't (re)start
Product: Red Hat Enterprise Linux 8 Reporter: AIKAWA Shigechika <shige>
Component: freeradiusAssignee: Robbie Harwood <rharwood>
Status: CLOSED NEXTRELEASE QA Contact: Filip Dvorak <fdvorak>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, carl, fdvorak, jwboyer, nikolai.kondrashov, orion, rharwood
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-10 22:51:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description AIKAWA Shigechika 2020-12-09 09:21:46 UTC 
Description of problem:

When updated freeradius, freeradius could not start.
Because certs creation always fail.

Version-Release number of selected component (if applicable):

freeradius-3.0.17-7.module_el8.2.0+321+f9fd5d26.x86_64.rpm
freeradius-3.0.20-3.module_el8.3.0+476+0982bc20.x86_64

How reproducible:


Steps to Reproduce:

0. dnf install make

1. dnf install https://rpmfind.net/linux/centos/8.2.2004/AppStream/x86_64/os/Packages/freeradius-3.0.17-7.module_el8.2.0+321+f9fd5d26.x86_64.rpm

2. systemctl start radiusd

3. cd /etc/raddb/certs ; find  . -newer bootstrap -type f -exec touch -r bootstrap {} \;
  Prepare for "ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap"
  Certs files timestamp set between 3.0.17 and 3.0.20 rpms. 

4. sudo dnf update freeradius # freeradius-3.0.20-3.module_el8.3.0+476+0982bc20.x86_64

5 systemctl restart radiusd # always fail

Actual results:

[root@localhost ~]# systemctl restart radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
[root@localhost ~]# systemctl status -l radiusd
* radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2020-12-09 18:08:34 JST; 1s ago
  Process: 72024 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=2)
  Process: 72022 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
 Main PID: 71762 (code=exited, status=0/SUCCESS)

Dec 09 18:08:34 localhost.localdomain sh[72024]: The matching entry has the following details
Dec 09 18:08:34 localhost.localdomain sh[72024]: Type          :Valid
Dec 09 18:08:34 localhost.localdomain sh[72024]: Expires on    :210207085204Z
Dec 09 18:08:34 localhost.localdomain sh[72024]: Serial Number :01
Dec 09 18:08:34 localhost.localdomain sh[72024]: File name     :unknown
Dec 09 18:08:34 localhost.localdomain sh[72024]: Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 09 18:08:34 localhost.localdomain sh[72024]: make: *** [Makefile:95: server.crt] <E3><82><A8><E3><83><A9><E3><83><BC> 1
Dec 09 18:08:34 localhost.localdomain systemd[1]: radiusd.service: Control process exited, code=exited status=2
Dec 09 18:08:34 localhost.localdomain systemd[1]: radiusd.service: Failed with result 'exit-code'.
Dec 09 18:08:34 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..

Expected results:

Update smoothly.

Additional info:

I guessed %config(noreplace) does not work in freeradius.spec.

 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
 and so on

%config(noreplace) will make .rpmnew if same file existed.
but there are not find *rpmnew files in /etc/raddb/certs directory.
Could you give up to write %attr and %config(noreplace) in one line?
Comment 1 Alex Scheel 2020-12-09 19:35:27 UTC 
Can you provide the full journalctl log from FreeRADIUS from the failed start? Thanks!
Comment 2 AIKAWA Shigechika 2020-12-10 02:05:51 UTC 
Thank you for your response.
The following is journalctl.

* dnf update -y freeradius # update from freeradius-3.0.17.. to freeradius-3.0.20...

# systemctl restart radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
# journalctl -xe
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has successfully entered the 'dead' state.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Stopped FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has finished shutting down.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Starting FreeRADIUS high performance RADIUS server....
-- Subject: Unit radiusd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has begun starting up.
Dec 10 10:30:41 localhost.localdomain sh[2212]: openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Dec 10 10:30:41 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: .................................................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...............+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'server.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r server.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl req -new -x509 -keyout ca.key -out ca.pem \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -days '60' -config ./ca.cnf \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -passin pass:'whatever' -passout pass:'whatever'
Dec 10 10:30:42 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...........................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ..........................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'ca.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r ca.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Using configuration from ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Check that the request matches the signature
Dec 10 10:30:42 localhost.localdomain sh[2212]: Signature ok
Dec 10 10:30:42 localhost.localdomain sh[2212]: ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: The matching entry has the following details
Dec 10 10:30:42 localhost.localdomain sh[2212]: Type          :Valid
Dec 10 10:30:42 localhost.localdomain sh[2212]: Expires on    :210208012936Z
Dec 10 10:30:42 localhost.localdomain sh[2212]: Serial Number :01
Dec 10 10:30:42 localhost.localdomain sh[2212]: File name     :unknown
Dec 10 10:30:42 localhost.localdomain sh[2212]: Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: make: *** [Makefile:95: server.crt] Error 1
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Control process exited, code=exited status=2
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has entered the 'failed' state with result 'exit-code'.
Dec 10 10:30:42 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has failed.
--
-- The result is failed.
...skipping...
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has successfully entered the 'dead' state.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Stopped FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has finished shutting down.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Starting FreeRADIUS high performance RADIUS server....
-- Subject: Unit radiusd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has begun starting up.
Dec 10 10:30:41 localhost.localdomain sh[2212]: openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Dec 10 10:30:41 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: .................................................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...............+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'server.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r server.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl req -new -x509 -keyout ca.key -out ca.pem \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -days '60' -config ./ca.cnf \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -passin pass:'whatever' -passout pass:'whatever'
Dec 10 10:30:42 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...........................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ..........................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'ca.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r ca.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Using configuration from ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Check that the request matches the signature
Dec 10 10:30:42 localhost.localdomain sh[2212]: Signature ok
Dec 10 10:30:42 localhost.localdomain sh[2212]: ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: The matching entry has the following details
Dec 10 10:30:42 localhost.localdomain sh[2212]: Type          :Valid
Dec 10 10:30:42 localhost.localdomain sh[2212]: Expires on    :210208012936Z
Dec 10 10:30:42 localhost.localdomain sh[2212]: Serial Number :01
Dec 10 10:30:42 localhost.localdomain sh[2212]: File name     :unknown
Dec 10 10:30:42 localhost.localdomain sh[2212]: Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: make: *** [Makefile:95: server.crt] Error 1
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Control process exited, code=exited status=2
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has entered the 'failed' state with result 'exit-code'.
Dec 10 10:30:42 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has failed.
--
-- The result is failed.

Thank you.

PS

There are not *.rpmnew files in /etc/raddb/certs/ after updated.
It seems %attr works fine, but %config(noreplace) does not work in freeradius.spec of src.rpm.
I guessed you should fix %config(noreplace) in freeradius.spec.

[root@localhost ~]# ls -l /etc/raddb/certs/
total 160
-rw-r-----. 1 root radiusd 4431 May  7  2020 01.pem
-rw-r-----. 1 root radiusd 4408 May  7  2020 02.pem
-rw-r-----. 1 root radiusd 6424 Sep  1 05:46 Makefile
-rw-r-----. 1 root radiusd 8876 Sep  1 05:46 README
-rwxr-x---. 1 root radiusd 2941 Sep  1 05:46 bootstrap
-rw-r-----. 1 root radiusd 1432 Sep  1 05:46 ca.cnf
-rw-r-----. 1 root radiusd 1278 May  7  2020 ca.der
-rw-r-----. 1 root radiusd 1854 Dec 10 10:30 ca.key
-rw-r-----. 1 root radiusd 1785 Dec 10 10:30 ca.pem
-rw-r-----. 1 root radiusd 1103 Sep  1 05:46 client.cnf
-rw-r-----. 1 root radiusd 4408 May  7  2020 client.crt
-rw-r-----. 1 root radiusd 1045 May  7  2020 client.csr
-rw-r-----. 1 root radiusd 1854 May  7  2020 client.key
-rw-r-----. 1 root radiusd 2581 May  7  2020 client.p12
-rw-r-----. 1 root radiusd 3687 May  7  2020 client.pem
-rw-r-----. 1 root radiusd  424 May  7  2020 dh
-rw-r-----. 1 root radiusd  229 May  7  2020 index.txt
-rw-r-----. 1 root radiusd   21 May  7  2020 index.txt.attr
-rw-r-----. 1 root radiusd   21 May  7  2020 index.txt.attr.old
-rw-r-----. 1 root radiusd  120 May  7  2020 index.txt.old
-rw-r-----. 1 root radiusd 1131 Sep  1 05:46 inner-server.cnf
-rw-r--r--. 1 root radiusd  166 Sep  1 05:46 passwords.mk
lrwxrwxrwx. 1 root root      12 Dec 10 10:30 random -> /dev/urandom
-rw-r-----. 1 root radiusd 1464 Sep  1 05:46 rfc3526-group-18-8192.dhparam
-rw-r-----. 1 root radiusd    3 May  7  2020 serial
-rw-r-----. 1 root radiusd    3 May  7  2020 serial.old
-rw-r-----. 1 root radiusd 1627 Sep  1 05:46 server.cnf
-rw-r-----. 1 root radiusd 4431 May  7  2020 server.crt
-rw-r-----. 1 root radiusd 1196 Dec 10 10:30 server.csr
-rw-r-----. 1 root radiusd 1854 Dec 10 10:30 server.key
-rw-r-----. 1 root radiusd 2589 May  7  2020 server.p12
-rw-r-----. 1 root radiusd 3710 May  7  2020 server.pem
-rw-r-----. 1 root radiusd 3687 May  7  2020 user.pem
-rw-r-----. 1 root radiusd  764 Sep  1 05:46 xpextensions
Comment 3 Alex Scheel 2020-12-17 16:10:52 UTC 
By the way, do you need a workaround for this or have you figured that out?
Comment 4 AIKAWA Shigechika 2020-12-23 02:23:19 UTC 
Currently, %config(noreplace) does not work.
You should resolve %config(noreplace) behaving in freeradius.spec.
Comment 5 Alex Scheel 2021-01-06 16:00:33 UTC 
Revisiting this, my understanding is that %config(noreplace) only works if you have modified the files locally. If you haven't, then there is no option that I know of that will preserve the version from first package install, and not overwrite them. I believe this ultimately comes down to the MD5 sum in the RPM database, not the file mtime. 

Did you modify the contents of these files, prior to upgrading freeradius-server?
Comment 6 Orion Poplawski 2021-01-11 18:10:22 UTC 
I'm seeing the same issue.  I don't think %config(noreplace) really applies here.  I think the issue is due to the make rules:

ca.key ca.pem: ca.cnf
server.csr server.key: server.cnf
client.csr client.key: client.cnf
inner-server.csr inner-server.key: inner-server.cnf

This says that if the .cnf files are updated, the related keys and certs need to be regenerated - but I don't think this is true.  Or if it is, you need a make rule that actually succeeds to regenerate the server certificate rather than generating an error.
Comment 7 AIKAWA Shigechika 2021-02-13 03:58:07 UTC 
This bug does not fix yet.
BTW, I found a work-around for this trouble.

 cd /etc/raddb/certs
 make destroycerts

Please try :-)
Comment 8 Orion Poplawski 2021-02-25 15:54:55 UTC 
Another failure mode for bootstrap:

Feb 24 12:34:33 systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Feb 24 12:34:33 sh[1466308]: C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin, CN = Example Certificate Authority
Feb 24 12:34:33 sh[1466308]: error 10 at 1 depth lookup: certificate has expired
Feb 24 12:34:33 sh[1466308]: error server.pem: verification failed
Feb 24 12:34:33 sh[1466308]: make: *** [Makefile:107: server.vrfy] Error 2
Feb 24 12:34:33 systemd[1]: radiusd.service: Control process exited, code=exited status=2
Feb 24 12:34:33 systemd[1]: radiusd.service: Failed with result 'exit-code'.
Feb 24 12:34:33 systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..

I think bootstrap just needs to be removed from the service unit file.
Comment 10 Robbie Harwood 2021-03-10 22:51:33 UTC 
(In reply to Orion Poplawski from comment #8)
> I think bootstrap just needs to be removed from the service unit file.

I agree.  This will be how the package behaves in future RHEL releases.  FreeRADIUS shouldn't be involved in certificate generation and management - especially since it's just making self-signed certificates anyhow.

The solution we're going with for RHEL <= 8 is that, since updating the package requires doing this anyway, edit the unit file to remove the bootstrap line: https://access.redhat.com/solutions/5767041

Please let me know if this presents a problem and we can discuss further.