1954521 – Freeradius should not generate default certificates and run boostrap script during every start

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1954521 - Freeradius should not generate default certificates and run boostrap script during every start

Summary: Freeradius should not generate default certificates and run boostrap script d...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	freeradius
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Antonio Torres
QA Contact:	Filip Dvorak
Docs Contact:	lmcgarry
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-28 10:28 UTC by Filip Dvorak
Modified:	2021-11-10 01:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:	freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
Doc Type:	Bug Fix
Doc Text:	.FreeRADIUS no longer incorrectly generating default certificates when the bootstrap script is run A bootstrap script runs each time FreeRADIUS is started. Previously, this script generated new testing certificates in the `/etc/raddb/certs` directory and as a result, the FreeRADIUS server sometimes failed to start as these testing certificates were invalid. For example, the certificates might have expired. With this update, the bootstrap script checks the `/etc/raddb/certs` directory and if it contains any testing or customer certificates, the script is not run and the FreeRADIUS server should start correctly. Note that the testing certificates are only for testing purposes during the configuration of FreeRADIUS and should not be used in a real environment. The bootstrap script should be deleted once the users' certificates are used.
Clone Of:
Environment:
Last Closed:	2021-11-09 18:51:07 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7299	0	None	None	None	2021-11-09 18:57:47 UTC
Red Hat Product Errata	RHBA-2021:4317	0	None	None	None	2021-11-09 18:51:12 UTC

Description Filip Dvorak 2021-04-28 10:28:01 UTC

Description of problem:
We changed the generation of the default certificate for FR because of this bug[1]. Now the generation of the default certificates is during systemd start radiusd. The problem is that bootstrap script is run during every start and it verifies these default certificates. When these certificates expire after 60days (for example user uses their own certificates but did not delete def. certificates in /etc/raddb/certs) the FR fails to start. This issue has affected the upgrade of FR as well - https://access.redhat.com/solutions/5767041

The possible solution:
- run bootstrap script only once and not during every systemd start (it could be a little bit tricky because bootstrap script is mentioned in the unit file)
- modify the bootstrap script
      - bootstrap script should stay in unit file, run during the start of FR
      - if there are one or more def. certificates (valid, invalid, expired) in /etc/raddb/certs, bootstrap should not generate/replace/remove/verify any of them
      - bootstrap script should generate all default certificates and dh if there are not any existing def. certificates in /etc/radd/certs
      - bootstrap script should verify def. certificates ONLY during generating of these certs 
 
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1672285

Version-Release number of selected component (if applicable):
freeradius-3.0.20-3
RHEL8.4


Steps to Reproduce:
1. systemctl start radiusd
2. wait for 60 days or change date on the system
cd /etc/raddb/certs
openssl x509 -in server.pem -noout -text | grep -e{Before,After}
date -s 'Jun 28 10:12:09 2021 GMT'

3. systemctl start radiusd

Actual results:
...
- Unit radiusd.service has begun starting up.
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin, CN = Example Certificate Authority
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: error 10 at 1 depth lookup: certificate has expired
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: error 10 at 0 depth lookup: certificate has expired
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: error server.pem: verification failed
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com sh[5481]: make: *** [Makefile:107: server.vrfy] Error 2
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com systemd[1]: radiusd.service: Control process exited, code=exited status=2
Jun 28 06:12:20 ci-vm-10-0-136-152.hosted.upshift.rdu2.redhat.com systemd[1]: radiusd.service: Failed with result 'exit-code'.
...

Expected results:
I am inclined to the first solution but the second is fine as well. In every case, the radiusd should be run smoothly. 

Additional info:

Comment 3 Hallvard B Furuseth 2021-07-02 05:27:18 UTC

The /etc/raddb/certs/bootstrap script itself recommends solution#1:

# (...) Once the certificates have been created, this file should be deleted.
# Ideally, this program should be run as part of the installation of any
# binary package. (...)

Comment 22 errata-xmlrpc 2021-11-09 18:51:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4317

Note You need to log in before you can comment on or make changes to this bug.