|
 |
acdfd7 |
Author: Antonio Torres <antorres@redhat.com>
|
|
|
acdfd7 |
Date: Wed Jul 20 2021
|
|
|
acdfd7 |
Subject: [PATCH] ensure bootstrap script is run only once
|
|
|
acdfd7 |
|
|
|
acdfd7 |
The bootstrap script should only run once. By checking if there are
|
|
|
acdfd7 |
certificates in the directory, we can exit early if certificates were
|
|
|
acdfd7 |
already generated.
|
|
|
acdfd7 |
|
|
|
acdfd7 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
|
|
acdfd7 |
Signed-off-by: Antonio Torres antorres@redhat.com
|
|
|
acdfd7 |
---
|
|
|
acdfd7 |
raddb/certs/README | 16 ++++++----------
|
|
|
acdfd7 |
raddb/certs/bootstrap | 18 ++++++++++++------
|
|
|
acdfd7 |
2 files changed, 18 insertions(+), 16 deletions(-)
|
|
|
acdfd7 |
|
|
|
acdfd7 |
diff --git a/raddb/certs/README b/raddb/certs/README
|
|
|
acdfd7 |
index 6288921da1..32413964dd 100644
|
|
|
acdfd7 |
--- a/raddb/certs/README
|
|
|
acdfd7 |
+++ b/raddb/certs/README
|
|
|
acdfd7 |
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
|
|
acdfd7 |
your users, and to issue client certificates for EAP-TLS.
|
|
|
acdfd7 |
|
|
|
acdfd7 |
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
|
|
acdfd7 |
-the server in root in debugging mode should also create test
|
|
|
acdfd7 |
-certificates, i.e.:
|
|
|
acdfd7 |
+the server in root mode should also create test certificates.
|
|
|
acdfd7 |
|
|
|
acdfd7 |
-$ radiusd -X
|
|
|
acdfd7 |
-
|
|
|
acdfd7 |
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
|
|
acdfd7 |
-this directory. The script will be executed only once, the first time
|
|
|
acdfd7 |
-the server has been installed on a particular machine. This bootstrap
|
|
|
acdfd7 |
-script SHOULD be run on installation of any pre-built binary package
|
|
|
acdfd7 |
-for your OS. In any case, the script will ensure that it is not run
|
|
|
acdfd7 |
-twice, and that it does not over-write any existing certificates.
|
|
|
acdfd7 |
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
|
|
acdfd7 |
+The script will be executed during every start of FreeRADIUS via systemd but
|
|
|
acdfd7 |
+the script will ensure that it does not overwrite any existing certificates.
|
|
|
acdfd7 |
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
|
|
acdfd7 |
+have been generated.
|
|
|
acdfd7 |
|
|
|
acdfd7 |
If you already have CA and server certificates, rename (or delete)
|
|
|
acdfd7 |
this directory, and create a new "certs" directory containing your
|
|
|
acdfd7 |
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
|
|
acdfd7 |
index 0f719aafd4..92254dc936 100755
|
|
|
acdfd7 |
--- a/raddb/certs/bootstrap
|
|
|
acdfd7 |
+++ b/raddb/certs/bootstrap
|
|
|
acdfd7 |
@@ -1,12 +1,18 @@
|
|
|
acdfd7 |
#!/bin/sh
|
|
|
acdfd7 |
#
|
|
|
acdfd7 |
-# This is a wrapper script to create default certificates when the
|
|
|
acdfd7 |
-# server first starts in debugging mode. Once the certificates have been
|
|
|
acdfd7 |
-# created, this file should be deleted.
|
|
|
acdfd7 |
+# Bootstrap script should be run only once. If there are already certificates
|
|
|
acdfd7 |
+# generated, skip the execution.
|
|
|
acdfd7 |
+#
|
|
|
acdfd7 |
+cd `dirname $0`
|
|
|
acdfd7 |
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
|
|
acdfd7 |
+ exit 0
|
|
|
acdfd7 |
+fi
|
|
|
acdfd7 |
+
|
|
|
acdfd7 |
#
|
|
|
acdfd7 |
-# Ideally, this program should be run as part of the installation of any
|
|
|
acdfd7 |
-# binary package. The installation should also ensure that the permissions
|
|
|
acdfd7 |
-# and owners are correct for the files generated by this script.
|
|
|
acdfd7 |
+# This is a wrapper script to create default certificates when the
|
|
|
acdfd7 |
+# server starts via systemd. It should also ensure that the
|
|
|
acdfd7 |
+# permissions and owners are correct for the generated files. Once
|
|
|
acdfd7 |
+# the certificates have been created, this file should be deleted.
|
|
|
acdfd7 |
#
|
|
|
acdfd7 |
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
|
|
acdfd7 |
#
|