Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1835249 - systemctl start radius because radiusd generates certificates with a wrong group
Summary: systemctl start radius because radiusd generates certificates with a wrong group
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeradius
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Alex Scheel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-13 13:46 UTC by Filip Dvorak
Modified: 2020-08-13 01:38 UTC (History)
4 users (show)

Fixed In Version: freeradius-3.0.21-2.fc31 freeradius-3.0.21-2.fc30 freeradius-3.0.21-2.fc32 freeradius-3.0.21-7.fc31 freeradius-3.0.21-7.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-13 01:31:16 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Filip Dvorak 2020-05-13 13:46:36 UTC
Description of problem:
It is not possible to run radiusd (systemctl start radiusd) because it generates certificates with a wrong group (root instead of radiusd).

Version-Release number of selected component (if applicable):
freeradius-3.0.21-1.fc31.x86_64
Fedora 31

How reproducible:
always

Steps to Reproduce:
1. install freeradius server
2. systemctl start radiusd

Actual results:
# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.

cat /var/log/radius/radius.log
tls: Failed reading certificate file "/etc/raddb/certs/server.pem"
tls: error:0200100D:system library:fopen:Permission denied
tls: error:20074002:BIO routines:file_ctrl:system lib
tls: error:140DC002:SSL routines:use_certificate_chain_file:system lib
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"


Expected results:
The command systemctl radiusd should finished successfully and created correct certificates.

Additional info:
# ll /etc/raddb/certs/server.*
-rw-r-----. 1 root radiusd 1627 Apr  7 10:18 /etc/raddb/certs/server.cnf
-rw-r-----. 1 root root    4559 May 13 09:36 /etc/raddb/certs/server.crt
-rw-r-----. 1 root root    1196 May 13 09:36 /etc/raddb/certs/server.csr
-rw-r-----. 1 root root    1854 May 13 09:36 /etc/raddb/certs/server.key
-rw-r-----. 1 root root    2621 May 13 09:36 /etc/raddb/certs/server.p12
-rw-r-----. 1 root root    3747 May 13 09:36 /etc/raddb/certs/server.pem

Comment 1 Fedora Update System 2020-05-13 16:26:55 UTC
FEDORA-2020-b3d89903b3 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b3d89903b3

Comment 2 Fedora Update System 2020-05-13 16:40:55 UTC
FEDORA-2020-b1f620db55 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b1f620db55

Comment 3 Fedora Update System 2020-05-13 16:51:19 UTC
FEDORA-2020-ab387da9de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ab387da9de

Comment 4 Fedora Update System 2020-05-14 04:31:42 UTC
FEDORA-2020-ab387da9de has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ab387da9de`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ab387da9de

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2020-05-14 06:07:14 UTC
FEDORA-2020-b3d89903b3 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b3d89903b3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b3d89903b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-05-14 07:25:25 UTC
FEDORA-2020-b1f620db55 has been pushed to the Fedora 30 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b1f620db55`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b1f620db55

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2020-05-22 03:19:12 UTC
FEDORA-2020-b3d89903b3 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2020-05-22 04:21:43 UTC
FEDORA-2020-b1f620db55 has been pushed to the Fedora 30 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2020-05-22 05:30:38 UTC
FEDORA-2020-ab387da9de has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Filip Dvorak 2020-07-28 10:35:11 UTC
Hello,
the fix should be in this version of FR freeradius-3.0.21-2.fc31 but the issue with certificates is still there.

Used version:
Fedoa31, freeradius-3.0.21-2.fc31.x86_64

Steps to Reproduce:
1. install freeradius server
2. systemctl start radiusd

Actual result:
[root ~]# rpm -qa | grep freeradius
freeradius-3.0.21-2.fc31.x86_64

[root ~]# radiusd -X
---snipped---
   	timeout = 0
    	softfail = no
    }
   }
tls: Failed reading certificate file "/etc/raddb/certs/server.pem"
tls: error:0200100D:system library:fopen:Permission denied
tls: error:20074002:BIO routines:file_ctrl:system lib
tls: error:140DC002:SSL routines:use_certificate_chain_file:system lib
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"


[root ~]# ll /etc/raddb/certs/
total 160
-rw-r-----. 1 root root    4559 Jul 28 06:26 01.pem
-rw-r-----. 1 root root    4408 Jul 28 06:26 02.pem
-rwxr-x---. 1 root radiusd 2823 May 13 12:20 bootstrap
-rw-r-----. 1 root radiusd 1432 May 13 12:20 ca.cnf
-rw-r-----. 1 root root     478 Jul 28 06:26 ca.crl
-rw-r-----. 1 root root    1278 Jul 28 06:26 ca.der
-rw-r-----. 1 root root    1854 Jul 28 06:26 ca.key
-rw-r-----. 1 root root    1785 Jul 28 06:26 ca.pem
-rw-r-----. 1 root radiusd 1103 May 13 12:20 client.cnf
-rw-r-----. 1 root root    4408 Jul 28 06:26 client.crt
-rw-r-----. 1 root root    1045 Jul 28 06:26 client.csr
-rw-r-----. 1 root root    1854 Jul 28 06:26 client.key
-rw-r-----. 1 root root    2581 Jul 28 06:26 client.p12
-rw-r-----. 1 root root    3687 Jul 28 06:26 client.pem
-rw-r-----. 1 root root     424 Jul 28 06:26 dh
-rw-r-----. 1 root root     229 Jul 28 06:26 index.txt
-rw-r-----. 1 root root      21 Jul 28 06:26 index.txt.attr
-rw-r-----. 1 root root      21 Jul 28 06:26 index.txt.attr.old
-rw-r-----. 1 root root     120 Jul 28 06:26 index.txt.old
-rw-r-----. 1 root radiusd 1131 May 13 12:20 inner-server.cnf
-rw-r-----. 1 root radiusd 6433 May 13 12:20 Makefile
-rw-r--r--. 1 root radiusd  166 May 13 12:20 passwords.mk
-rw-r-----. 1 root radiusd 8876 May 13 12:20 README
-rw-r-----. 1 root root       3 Jul 28 06:26 serial
-rw-r-----. 1 root root       3 Jul 28 06:26 serial.old
-rw-r-----. 1 root radiusd 1627 May 13 12:20 server.cnf
-rw-r-----. 1 root root    4559 Jul 28 06:26 server.crt
-rw-r-----. 1 root root    1196 Jul 28 06:26 server.csr
-rw-r-----. 1 root root    1854 Jul 28 06:26 server.key
-rw-r-----. 1 root root    2621 Jul 28 06:26 server.p12
-rw-r-----. 1 root root    3747 Jul 28 06:26 server.pem
-rw-r-----. 1 root root    3687 Jul 28 06:26 user.pem
-rw-r-----. 1 root radiusd 3046 May 13 12:20 xpextensions

Comment 11 Alex Scheel 2020-08-04 14:59:47 UTC
Rebuilds in progress, should be done today.

Comment 12 Fedora Update System 2020-08-04 16:19:54 UTC
FEDORA-2020-70b376ec83 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-70b376ec83

Comment 13 Fedora Update System 2020-08-04 16:19:56 UTC
FEDORA-2020-99d2f4b558 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-99d2f4b558

Comment 14 Fedora Update System 2020-08-05 01:05:48 UTC
FEDORA-2020-70b376ec83 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-70b376ec83`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-70b376ec83

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Fedora Update System 2020-08-05 01:21:40 UTC
FEDORA-2020-99d2f4b558 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-99d2f4b558`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-99d2f4b558

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 16 Fedora Update System 2020-08-13 01:31:16 UTC
FEDORA-2020-70b376ec83 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2020-08-13 01:38:26 UTC
FEDORA-2020-99d2f4b558 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.