Univention Bugzilla – Bug 38786
freeradius does not start after installation: Unable to open DH file - /etc/freeradius/ssl/dh
Last modified: 2015-10-14 14:58:03 CEST
Installed univention-radius on 4.0-2 DC-Slave (UCS@school) via App Center.
Startup of the service fails because of wrong permissions/ownership for /etc/freeradius/ssl/dh
Wed May 6 09:38:16 2015 : Error: /etc/freeradius/sites-enabled/default: Failed to load module "mschap".
Wed May 6 09:38:16 2015 : Error: /etc/freeradius/sites-enabled/default: Failed to parse "mschap" entry.
Wed May 6 09:38:16 2015 : Error: Failed to load virtual server <default>
Wed May 6 09:38:26 2015 : Error: rlm_eap_tls: Unable to open DH file - /etc/freeradius/ssl/dh
Wed May 6 09:38:26 2015 : Error: rlm_eap: Failed to initialize type tls
chown freerad /etc/freeradius/ssl/dh
invoke-rc.d freeradius start
SSL key generation was moved from joinscript to postinst.
Commits: 63483, 63484
YAML (r63486): 2015-09-03-univention-radius.yaml
Merge to 4.1: 63485
I think adding a "chmod 444 /etc/freeradius/ssl/dh" to the join script would have been sufficient to fix the issue. At least in my test, it was sufficient.
Are there any reasons to move the key handling to the postinst script?
With the postinst variant I see some drawbacks:
- the private.key/cert.pem is only copied once; so no chance to update the key
e.g. by reexcuting the join script via UMC module; this also applies during
rejoin → the SSL certificate may be revoked
- univention-radius cannot be installed prior to joining the system. The SSL
certficate is only available after the system has been join. So copying
private.key and cert.pem in postinst will fail, if the system is not joined yet.
(→ before Univention App Center in some customer environments univention-radius
has been installed before joining the system)
Commits 64126 + 64127 move the DH file generation back into the join script.
Merge to 4.1 is included in commits.
OK: code change
OK: functional test
OK: changes merged to 4.1-0
→ freeradius has been started automatically, if join script has been run