Hi list, I have a question regarding bootstrapping default certificates using bootstrap script in raddb/certs directory.
From the README: ------ $ radiusd -X That will cause the EAP-TLS module to run the "bootstrap" script in this directory. The script will be executed only once, the first time the server has been installed on a particular machine. This bootstrap script SHOULD be run on installation of any pre-built binary package for your OS. In any case, the script will ensure that it is not run twice, and that it does not over-write any existing certificates. ------ If I understand that right, it means that when I run the script twice, then generated certificates should not be changed (provided the *.cnf files did not change. But I observe something different: =======> cd raddb/certs/ =======> ./bootstrap openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time <SNIP> MAC verified OK openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der Everything OK so far =======> touch *.cnf =======> ./bootstrap openssl req -new -out server.csr -keyout server.key -config ./server.cnf Generating a 2048 bit RSA private key <SNIP> writing new private key to 'server.key' ----- openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key <SNIP> writing new private key to 'ca.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Oct 14 15:10:57 2009 GMT Not After : Oct 14 15:10:57 2010 GMT Subject: countryName = FR stateOrProvinceName = Radius organizationName = Example Inc. commonName = Example Server Certificate emailAddress = ad...@example.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Oct 14 15:10:57 2010 GMT (365 days) failed to update database TXT_DB error number 2 make: *** [server.crt] Error 1 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time <SNIP> Generating a 2048 bit RSA private key ................................................+++ .....+++ writing new private key to 'server.key' ----- Generating a 2048 bit RSA private key .............................................................+++ .........................+++ writing new private key to 'ca.key' ----- Generating a 2048 bit RSA private key ........................+++ ...............+++ writing new private key to 'ca.key' ----- Using configuration from ./server.cnf Check that the request matches the signature Signature ok ERROR:Serial number 01 has already been issued, check the database/serial_file for corruption The matching entry has the following details Type :Valid Expires on :101014151025Z Serial Number :01 File name :unknown Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailaddress=ad...@example.com Please notice that generating server.crt failed with "TXT_DB error number 2". Thus after issuing the ./bootstrap command for the second time, the server.crt file is empty. If I change unique_subject=yes to unique_subject=no in index.txt.attr before issuing second ./bootstrap, then the script finishes without errors, but I'm not sure the resulting files are correct. I have to admit that my knowledge of openssl is very limited, but as far as I understand that, this behavior is a bug, or at least it does not conform to the documentation. I would expect that the bootstrap/Makefile would simply do nothing if the required certificates are already present, no matter what are the timestamps of *.cnf files. The testing was done with current git master branch. -- Best regards / s pozdravem Petr Uzel, openSUSE Boosters Team ----------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: pu...@suse.cz Lihovarská 1060/12 http://www.suse.cz 190 00 Prague 9, CR
pgpmkX7HhSuQq.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html