bootstrap: pass -noenc to certificate generation

Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems.

Related: rhbz#2069224
Signed-off-by: Antonio Torres <antorres@redhat.com>

freeradius-bootstrap-pass-noenc-to-certificate-generation.patch

@@ -0,0 +1,57 @@
+From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 22 Apr 2022 12:27:43 +0200
+Subject: [PATCH] bootstrap: pass -noenc to certificate generation
+
+Bootstrap script would fail to generate certificates if run on systems
+with FIPS enabled. By passing the -noenc option, we can skip the usage
+of unsupported algorithms on these systems.
+
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ raddb/certs/Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd467ce..df45884a55 100644
+--- a/raddb/certs/Makefile
++++ b/raddb/certs/Makefile
+@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf
+ 	@[ -f serial ] || $(MAKE) serial
+ 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
+ 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
+-		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
++		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
+ 	chmod g+r ca.key
+ 
+ ca.der: ca.pem
+@@ -88,7 +88,7 @@ ca.crl: ca.pem
+ #
+ ######################################################################
+ server.csr server.key: server.cnf
+-	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
++	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc
+ 	chmod g+r server.key
+ 
+ server.crt: server.csr ca.key ca.pem
+@@ -113,7 +113,7 @@ server.vrfy: ca.pem
+ #
+ ######################################################################
+ client.csr client.key: client.cnf
+-	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
++	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
+ 	chmod g+r client.key
+ 
+ client.crt: client.csr ca.pem ca.key
+@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem
+ #
+ ######################################################################
+ inner-server.csr inner-server.key: inner-server.cnf
+-	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
++	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
+ 	chmod g+r inner-server.key
+ 
+ inner-server.crt: inner-server.csr ca.key ca.pem
+-- 
+2.35.1
+

freeradius.spec

@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/
 
@@ -28,6 +28,7 @@ Patch5: freeradius-bootstrap-make-permissions.patch
 Patch6: freeradius-Fix-resource-hard-limit-error.patch
 Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
 Patch8: freeradius-Backport-OpenSSL3-fixes.patch
+Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -213,6 +214,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -855,6 +857,10 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-27
+- bootstrap: pass -noenc to certificate generation
+  Related: rhbz#2069224
+
 * Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
 - Move remaining files from /var/run to /run
   Related: rhbz#2047972