1905888 – After updated freeradius, Can't (re)start

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1905888 - After updated freeradius, Can't (re)start

Summary: After updated freeradius, Can't (re)start

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	freeradius
Sub Component:
Version:	CentOS Stream
Hardware:	All
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	8.0
Assignee:	Robbie Harwood
QA Contact:	Filip Dvorak
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-09 09:21 UTC by AIKAWA Shigechika
Modified:	2021-03-10 22:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-10 22:51:33 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5767041	0	None	None	None	2021-03-10 22:51:31 UTC

Description AIKAWA Shigechika 2020-12-09 09:21:46 UTC

Description of problem:

When updated freeradius, freeradius could not start.
Because certs creation always fail.

Version-Release number of selected component (if applicable):

freeradius-3.0.17-7.module_el8.2.0+321+f9fd5d26.x86_64.rpm
freeradius-3.0.20-3.module_el8.3.0+476+0982bc20.x86_64

How reproducible:


Steps to Reproduce:

0. dnf install make

1. dnf install https://rpmfind.net/linux/centos/8.2.2004/AppStream/x86_64/os/Packages/freeradius-3.0.17-7.module_el8.2.0+321+f9fd5d26.x86_64.rpm

2. systemctl start radiusd

3. cd /etc/raddb/certs ; find  . -newer bootstrap -type f -exec touch -r bootstrap {} \;
  Prepare for "ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap"
  Certs files timestamp set between 3.0.17 and 3.0.20 rpms. 

4. sudo dnf update freeradius # freeradius-3.0.20-3.module_el8.3.0+476+0982bc20.x86_64

5 systemctl restart radiusd # always fail

Actual results:

[root@localhost ~]# systemctl restart radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
[root@localhost ~]# systemctl status -l radiusd
* radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2020-12-09 18:08:34 JST; 1s ago
  Process: 72024 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=2)
  Process: 72022 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
 Main PID: 71762 (code=exited, status=0/SUCCESS)

Dec 09 18:08:34 localhost.localdomain sh[72024]: The matching entry has the following details
Dec 09 18:08:34 localhost.localdomain sh[72024]: Type          :Valid
Dec 09 18:08:34 localhost.localdomain sh[72024]: Expires on    :210207085204Z
Dec 09 18:08:34 localhost.localdomain sh[72024]: Serial Number :01
Dec 09 18:08:34 localhost.localdomain sh[72024]: File name     :unknown
Dec 09 18:08:34 localhost.localdomain sh[72024]: Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 09 18:08:34 localhost.localdomain sh[72024]: make: *** [Makefile:95: server.crt] <E3><82><A8><E3><83><A9><E3><83><BC> 1
Dec 09 18:08:34 localhost.localdomain systemd[1]: radiusd.service: Control process exited, code=exited status=2
Dec 09 18:08:34 localhost.localdomain systemd[1]: radiusd.service: Failed with result 'exit-code'.
Dec 09 18:08:34 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..

Expected results:

Update smoothly.

Additional info:

I guessed %config(noreplace) does not work in freeradius.spec.

 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
 and so on

%config(noreplace) will make .rpmnew if same file existed.
but there are not find *rpmnew files in /etc/raddb/certs directory.
Could you give up to write %attr and %config(noreplace) in one line?

Comment 1 Alex Scheel 2020-12-09 19:35:27 UTC

Can you provide the full journalctl log from FreeRADIUS from the failed start? Thanks!

Comment 2 AIKAWA Shigechika 2020-12-10 02:05:51 UTC

Thank you for your response.
The following is journalctl.

* dnf update -y freeradius # update from freeradius-3.0.17.. to freeradius-3.0.20...

# systemctl restart radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
# journalctl -xe
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has successfully entered the 'dead' state.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Stopped FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has finished shutting down.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Starting FreeRADIUS high performance RADIUS server....
-- Subject: Unit radiusd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has begun starting up.
Dec 10 10:30:41 localhost.localdomain sh[2212]: openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Dec 10 10:30:41 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: .................................................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...............+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'server.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r server.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl req -new -x509 -keyout ca.key -out ca.pem \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -days '60' -config ./ca.cnf \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -passin pass:'whatever' -passout pass:'whatever'
Dec 10 10:30:42 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...........................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ..........................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'ca.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r ca.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Using configuration from ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Check that the request matches the signature
Dec 10 10:30:42 localhost.localdomain sh[2212]: Signature ok
Dec 10 10:30:42 localhost.localdomain sh[2212]: ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: The matching entry has the following details
Dec 10 10:30:42 localhost.localdomain sh[2212]: Type          :Valid
Dec 10 10:30:42 localhost.localdomain sh[2212]: Expires on    :210208012936Z
Dec 10 10:30:42 localhost.localdomain sh[2212]: Serial Number :01
Dec 10 10:30:42 localhost.localdomain sh[2212]: File name     :unknown
Dec 10 10:30:42 localhost.localdomain sh[2212]: Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: make: *** [Makefile:95: server.crt] Error 1
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Control process exited, code=exited status=2
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has entered the 'failed' state with result 'exit-code'.
Dec 10 10:30:42 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has failed.
--
-- The result is failed.
...skipping...
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has successfully entered the 'dead' state.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Stopped FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has finished shutting down.
Dec 10 10:30:41 localhost.localdomain systemd[1]: Starting FreeRADIUS high performance RADIUS server....
-- Subject: Unit radiusd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has begun starting up.
Dec 10 10:30:41 localhost.localdomain sh[2212]: openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Dec 10 10:30:41 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: .................................................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...............+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'server.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r server.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl req -new -x509 -keyout ca.key -out ca.pem \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -days '60' -config ./ca.cnf \
Dec 10 10:30:42 localhost.localdomain sh[2212]:         -passin pass:'whatever' -passout pass:'whatever'
Dec 10 10:30:42 localhost.localdomain sh[2212]: Generating a RSA private key
Dec 10 10:30:42 localhost.localdomain sh[2212]: ...........................................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: ..........................................+++++
Dec 10 10:30:42 localhost.localdomain sh[2212]: writing new private key to 'ca.key'
Dec 10 10:30:42 localhost.localdomain sh[2212]: -----
Dec 10 10:30:42 localhost.localdomain sh[2212]: chmod g+r ca.key
Dec 10 10:30:42 localhost.localdomain sh[2212]: openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Using configuration from ./server.cnf
Dec 10 10:30:42 localhost.localdomain sh[2212]: Check that the request matches the signature
Dec 10 10:30:42 localhost.localdomain sh[2212]: Signature ok
Dec 10 10:30:42 localhost.localdomain sh[2212]: ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: The matching entry has the following details
Dec 10 10:30:42 localhost.localdomain sh[2212]: Type          :Valid
Dec 10 10:30:42 localhost.localdomain sh[2212]: Expires on    :210208012936Z
Dec 10 10:30:42 localhost.localdomain sh[2212]: Serial Number :01
Dec 10 10:30:42 localhost.localdomain sh[2212]: File name     :unknown
Dec 10 10:30:42 localhost.localdomain sh[2212]: Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin
Dec 10 10:30:42 localhost.localdomain sh[2212]: make: *** [Makefile:95: server.crt] Error 1
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Control process exited, code=exited status=2
Dec 10 10:30:42 localhost.localdomain systemd[1]: radiusd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit radiusd.service has entered the 'failed' state with result 'exit-code'.
Dec 10 10:30:42 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..
-- Subject: Unit radiusd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit radiusd.service has failed.
--
-- The result is failed.

Thank you.

PS

There are not *.rpmnew files in /etc/raddb/certs/ after updated.
It seems %attr works fine, but %config(noreplace) does not work in freeradius.spec of src.rpm.
I guessed you should fix %config(noreplace) in freeradius.spec.

[root@localhost ~]# ls -l /etc/raddb/certs/
total 160
-rw-r-----. 1 root radiusd 4431 May  7  2020 01.pem
-rw-r-----. 1 root radiusd 4408 May  7  2020 02.pem
-rw-r-----. 1 root radiusd 6424 Sep  1 05:46 Makefile
-rw-r-----. 1 root radiusd 8876 Sep  1 05:46 README
-rwxr-x---. 1 root radiusd 2941 Sep  1 05:46 bootstrap
-rw-r-----. 1 root radiusd 1432 Sep  1 05:46 ca.cnf
-rw-r-----. 1 root radiusd 1278 May  7  2020 ca.der
-rw-r-----. 1 root radiusd 1854 Dec 10 10:30 ca.key
-rw-r-----. 1 root radiusd 1785 Dec 10 10:30 ca.pem
-rw-r-----. 1 root radiusd 1103 Sep  1 05:46 client.cnf
-rw-r-----. 1 root radiusd 4408 May  7  2020 client.crt
-rw-r-----. 1 root radiusd 1045 May  7  2020 client.csr
-rw-r-----. 1 root radiusd 1854 May  7  2020 client.key
-rw-r-----. 1 root radiusd 2581 May  7  2020 client.p12
-rw-r-----. 1 root radiusd 3687 May  7  2020 client.pem
-rw-r-----. 1 root radiusd  424 May  7  2020 dh
-rw-r-----. 1 root radiusd  229 May  7  2020 index.txt
-rw-r-----. 1 root radiusd   21 May  7  2020 index.txt.attr
-rw-r-----. 1 root radiusd   21 May  7  2020 index.txt.attr.old
-rw-r-----. 1 root radiusd  120 May  7  2020 index.txt.old
-rw-r-----. 1 root radiusd 1131 Sep  1 05:46 inner-server.cnf
-rw-r--r--. 1 root radiusd  166 Sep  1 05:46 passwords.mk
lrwxrwxrwx. 1 root root      12 Dec 10 10:30 random -> /dev/urandom
-rw-r-----. 1 root radiusd 1464 Sep  1 05:46 rfc3526-group-18-8192.dhparam
-rw-r-----. 1 root radiusd    3 May  7  2020 serial
-rw-r-----. 1 root radiusd    3 May  7  2020 serial.old
-rw-r-----. 1 root radiusd 1627 Sep  1 05:46 server.cnf
-rw-r-----. 1 root radiusd 4431 May  7  2020 server.crt
-rw-r-----. 1 root radiusd 1196 Dec 10 10:30 server.csr
-rw-r-----. 1 root radiusd 1854 Dec 10 10:30 server.key
-rw-r-----. 1 root radiusd 2589 May  7  2020 server.p12
-rw-r-----. 1 root radiusd 3710 May  7  2020 server.pem
-rw-r-----. 1 root radiusd 3687 May  7  2020 user.pem
-rw-r-----. 1 root radiusd  764 Sep  1 05:46 xpextensions

Comment 3 Alex Scheel 2020-12-17 16:10:52 UTC

By the way, do you need a workaround for this or have you figured that out?

Comment 4 AIKAWA Shigechika 2020-12-23 02:23:19 UTC

Currently, %config(noreplace) does not work.
You should resolve %config(noreplace) behaving in freeradius.spec.

Comment 5 Alex Scheel 2021-01-06 16:00:33 UTC

Revisiting this, my understanding is that %config(noreplace) only works if you have modified the files locally. If you haven't, then there is no option that I know of that will preserve the version from first package install, and not overwrite them. I believe this ultimately comes down to the MD5 sum in the RPM database, not the file mtime. 

Did you modify the contents of these files, prior to upgrading freeradius-server?

Comment 6 Orion Poplawski 2021-01-11 18:10:22 UTC

I'm seeing the same issue.  I don't think %config(noreplace) really applies here.  I think the issue is due to the make rules:

ca.key ca.pem: ca.cnf
server.csr server.key: server.cnf
client.csr client.key: client.cnf
inner-server.csr inner-server.key: inner-server.cnf

This says that if the .cnf files are updated, the related keys and certs need to be regenerated - but I don't think this is true.  Or if it is, you need a make rule that actually succeeds to regenerate the server certificate rather than generating an error.

Comment 7 AIKAWA Shigechika 2021-02-13 03:58:07 UTC

This bug does not fix yet.
BTW, I found a work-around for this trouble.

 cd /etc/raddb/certs
 make destroycerts

Please try :-)

Comment 8 Orion Poplawski 2021-02-25 15:54:55 UTC

Another failure mode for bootstrap:

Feb 24 12:34:33 systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Feb 24 12:34:33 sh[1466308]: C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin, CN = Example Certificate Authority
Feb 24 12:34:33 sh[1466308]: error 10 at 1 depth lookup: certificate has expired
Feb 24 12:34:33 sh[1466308]: error server.pem: verification failed
Feb 24 12:34:33 sh[1466308]: make: *** [Makefile:107: server.vrfy] Error 2
Feb 24 12:34:33 systemd[1]: radiusd.service: Control process exited, code=exited status=2
Feb 24 12:34:33 systemd[1]: radiusd.service: Failed with result 'exit-code'.
Feb 24 12:34:33 systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..

I think bootstrap just needs to be removed from the service unit file.

Comment 10 Robbie Harwood 2021-03-10 22:51:33 UTC

(In reply to Orion Poplawski from comment #8)
> I think bootstrap just needs to be removed from the service unit file.

I agree.  This will be how the package behaves in future RHEL releases.  FreeRADIUS shouldn't be involved in certificate generation and management - especially since it's just making self-signed certificates anyhow.

The solution we're going with for RHEL <= 8 is that, since updating the package requires doing this anyway, edit the unit file to remove the bootstrap line: https://access.redhat.com/solutions/5767041

Please let me know if this presents a problem and we can discuss further.

Note You need to log in before you can comment on or make changes to this bug.