73 lines
3.0 KiB
Diff
73 lines
3.0 KiB
Diff
|
Author: Antonio Torres <antorres@redhat.com>
|
||
|
|
Date: Wed Jul 20 2021
|
||
|
|
Subject: [PATCH] ensure bootstrap script is run only once
|
||
|
|
|
||
|
|
The bootstrap script should only run once. By checking if there are
|
||
|
|
certificates in the directory, we can exit early if certificates were
|
||
|
|
already generated.
|
||
|
|
|
||
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||
|
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||
|
|
---
|
||
|
|
raddb/certs/README | 16 ++++++----------
|
||
|
|
raddb/certs/bootstrap | 18 ++++++++++++------
|
||
|
|
2 files changed, 18 insertions(+), 16 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/raddb/certs/README b/raddb/certs/README
|
||
|
|
index 6288921da1..32413964dd 100644
|
||
|
|
--- a/raddb/certs/README
|
||
|
|
+++ b/raddb/certs/README
|
||
|
|
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||
|
|
your users, and to issue client certificates for EAP-TLS.
|
||
|
|
|
||
|
|
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||
|
|
-the server in root in debugging mode should also create test
|
||
|
|
-certificates, i.e.:
|
||
|
|
+the server in root mode should also create test certificates.
|
||
|
|
|
||
|
|
-$ radiusd -X
|
||
|
|
-
|
||
|
|
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||
|
|
-this directory. The script will be executed only once, the first time
|
||
|
|
-the server has been installed on a particular machine. This bootstrap
|
||
|
|
-script SHOULD be run on installation of any pre-built binary package
|
||
|
|
-for your OS. In any case, the script will ensure that it is not run
|
||
|
|
-twice, and that it does not over-write any existing certificates.
|
||
|
|
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||
|
|
+The script will be executed during every start of FreeRADIUS via systemd but
|
||
|
|
+the script will ensure that it does not overwrite any existing certificates.
|
||
|
|
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||
|
|
+have been generated.
|
||
|
|
|
||
|
|
If you already have CA and server certificates, rename (or delete)
|
||
|
|
this directory, and create a new "certs" directory containing your
|
||
|
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||
|
|
index 0f719aafd4..92254dc936 100755
|
||
|
|
--- a/raddb/certs/bootstrap
|
||
|
|
+++ b/raddb/certs/bootstrap
|
||
|
|
@@ -1,12 +1,18 @@
|
||
|
|
#!/bin/sh
|
||
|
|
#
|
||
|
|
-# This is a wrapper script to create default certificates when the
|
||
|
|
-# server first starts in debugging mode. Once the certificates have been
|
||
|
|
-# created, this file should be deleted.
|
||
|
|
+# Bootstrap script should be run only once. If there are already certificates
|
||
|
|
+# generated, skip the execution.
|
||
|
|
+#
|
||
|
|
+cd `dirname $0`
|
||
|
|
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||
|
|
+ exit 0
|
||
|
|
+fi
|
||
|
|
+
|
||
|
|
#
|
||
|
|
-# Ideally, this program should be run as part of the installation of any
|
||
|
|
-# binary package. The installation should also ensure that the permissions
|
||
|
|
-# and owners are correct for the files generated by this script.
|
||
|
|
+# This is a wrapper script to create default certificates when the
|
||
|
|
+# server starts via systemd. It should also ensure that the
|
||
|
|
+# permissions and owners are correct for the generated files. Once
|
||
|
|
+# the certificates have been created, this file should be deleted.
|
||
|
|
#
|
||
|
|
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||
|
|
#
|