Bug 38786 – freeradius does not start after installation: Unable to open DH file - /etc/freeradius/ssl/dh

Bug 38786 - freeradius does not start after installation: Unable to open DH file - /etc/freeradius/ssl/dh


Summary:	freeradius does not start after installation: Unable to open DH file - /etc/f...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-3-errata
Assigned To:	Daniel Tröder
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-06-29 13:53 CEST by Janis Meybohm
Modified:	2015-10-14 14:58 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janis Meybohm

2015-06-29 13:53:21 CEST

Installed univention-radius on 4.0-2 DC-Slave (UCS@school) via App Center.
Startup of the service fails because of wrong permissions/ownership for /etc/freeradius/ssl/dh

-- /var/log/freeradius/radius.log
Wed May  6 09:38:16 2015 : Error: /etc/freeradius/sites-enabled/default[273]: Failed to load module "mschap".
Wed May  6 09:38:16 2015 : Error: /etc/freeradius/sites-enabled/default[273]: Failed to parse "mschap" entry.
Wed May  6 09:38:16 2015 : Error: Failed to load virtual server <default>
Wed May  6 09:38:26 2015 : Error: rlm_eap_tls: Unable to open DH file - /etc/freeradius/ssl/dh
Wed May  6 09:38:26 2015 : Error: rlm_eap: Failed to initialize type tls
...
--

Workaround:
chown freerad /etc/freeradius/ssl/dh
invoke-rc.d freeradius start

Comment 1 Daniel Tröder

2015-09-07 14:26:59 CEST

SSL key generation was moved from joinscript to postinst.

Commits: 63483, 63484
YAML (r63486): 2015-09-03-univention-radius.yaml
Merge to 4.1: 63485

Comment 2 Sönke Schwardt-Krummrich

2015-09-28 13:20:40 CEST

I think adding a "chmod 444 /etc/freeradius/ssl/dh" to the join script would have been sufficient to fix the issue. At least in my test, it was sufficient.

Are there any reasons to move the key handling to the postinst script?
With the postinst variant I see some drawbacks:
- the private.key/cert.pem is only copied once; so no chance to update the key 
  e.g. by reexcuting the join script via UMC module; this also applies during 
  rejoin → the SSL certificate may be revoked
- univention-radius cannot be installed prior to joining the system. The SSL 
  certficate is only available after the system has been join. So copying 
  private.key and cert.pem in postinst will fail, if the system is not joined yet.
  (→ before Univention App Center in some customer environments univention-radius 
     has been installed before joining the system)

→ REOPEN

Comment 3 Daniel Tröder

2015-10-01 11:02:58 CEST

Commits 64126 + 64127 move the DH file generation back into the join script.
Merge to 4.1 is included in commits.
YAML: 64128

Comment 4 Sönke Schwardt-Krummrich

2015-10-14 09:34:02 CEST

OK: code change
OK: functional test 
OK: YAML
OK: changes merged to 4.1-0

→ freeradius has been started automatically, if join script has been run

Comment 5 Janek Walkenhorst

2015-10-14 14:58:03 CEST

<http://errata.software-univention.de/ucs/4.0/337.html>