Univention Bugzilla – Bug 55489
own certificates are overwritten in radius join script
Last modified: 2023-06-08 13:53:30 CEST
A customer claimed that his own certificates are overwritten during join, or the reexecution of 80univention-radius.inst After that a radius login was no longer possible mkdir -p /etc/freeradius/ssl chmod 2755 /etc/freeradius/ssl cp "/etc/univention/ssl/$(hostname)/private.key" /etc/freeradius/ssl/private.key cp "/etc/univention/ssl/$(hostname)/cert.pem" /etc/freeradius/ssl/cert.pem openssl dhparam -out /etc/freeradius/ssl/dh 1024 chgrp freerad /etc/freeradius/ssl/private.key chgrp freerad /etc/freeradius/ssl/cert.pem chmod 440 /etc/freeradius/ssl/private.key chmod 444 /etc/freeradius/ssl/cert.pem /etc/freeradius/ssl/dh We should make this either configurable via ucr or check the existing certificates.
Which certificates in which file should be made configurable? There is already the possibility to modify /etc/freeradius/3.0/mods-available/eap with UCR: freeradius/conf/private/key/secret/file freeradius/conf/private/key/file freeradius/conf/certificate/file freeradius/conf/ca/file
(In reply to Mirac Erdemiroglu from comment #3) > to make our RADIUS run correctly, we bought a certificate and configured it > in the file /etc/freeradius/3.0/mods-enabled/eap. > > > After automatic updates of the system the file seems to be overwritten, is > there a way to persistently store the settings? Lets not debug this at this bug. To me it sounds like the customer changed something in the mentioned file, and a ucr commit put the file back to its 'normal' template state. Above, I already mentioned UCR variables to configure a certificate for freeradius