Bug 38786 - freeradius does not start after installation: Unable to open DH file - /etc/freeradius/ssl/dh
freeradius does not start after installation: Unable to open DH file - /etc/f...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-29 13:53 CEST by Janis Meybohm
Modified: 2015-10-14 14:58 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-06-29 13:53:21 CEST
Installed univention-radius on 4.0-2 DC-Slave (UCS@school) via App Center.
Startup of the service fails because of wrong permissions/ownership for /etc/freeradius/ssl/dh

-- /var/log/freeradius/radius.log
Wed May  6 09:38:16 2015 : Error: /etc/freeradius/sites-enabled/default[273]: Failed to load module "mschap".
Wed May  6 09:38:16 2015 : Error: /etc/freeradius/sites-enabled/default[273]: Failed to parse "mschap" entry.
Wed May  6 09:38:16 2015 : Error: Failed to load virtual server <default>
Wed May  6 09:38:26 2015 : Error: rlm_eap_tls: Unable to open DH file - /etc/freeradius/ssl/dh
Wed May  6 09:38:26 2015 : Error: rlm_eap: Failed to initialize type tls
...
--

Workaround:
chown freerad /etc/freeradius/ssl/dh
invoke-rc.d freeradius start
Comment 1 Daniel Tröder univentionstaff 2015-09-07 14:26:59 CEST
SSL key generation was moved from joinscript to postinst.

Commits: 63483, 63484
YAML (r63486): 2015-09-03-univention-radius.yaml
Merge to 4.1: 63485
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-09-28 13:20:40 CEST
I think adding a "chmod 444 /etc/freeradius/ssl/dh" to the join script would have been sufficient to fix the issue. At least in my test, it was sufficient.

Are there any reasons to move the key handling to the postinst script?
With the postinst variant I see some drawbacks:
- the private.key/cert.pem is only copied once; so no chance to update the key 
  e.g. by reexcuting the join script via UMC module; this also applies during 
  rejoin → the SSL certificate may be revoked
- univention-radius cannot be installed prior to joining the system. The SSL 
  certficate is only available after the system has been join. So copying 
  private.key and cert.pem in postinst will fail, if the system is not joined yet.
  (→ before Univention App Center in some customer environments univention-radius 
     has been installed before joining the system)

→ REOPEN
Comment 3 Daniel Tröder univentionstaff 2015-10-01 11:02:58 CEST
Commits 64126 + 64127 move the DH file generation back into the join script.
Merge to 4.1 is included in commits.
YAML: 64128
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2015-10-14 09:34:02 CEST
OK: code change
OK: functional test 
OK: YAML
OK: changes merged to 4.1-0

→ freeradius has been started automatically, if join script has been run
Comment 5 Janek Walkenhorst univentionstaff 2015-10-14 14:58:03 CEST
<http://errata.software-univention.de/ucs/4.0/337.html>