Author: Antonio Torres Date: Wed Jul 20 2021 Subject: [PATCH] ensure bootstrap script is run only once The bootstrap script should only run once. By checking if there are certificates in the directory, we can exit early if certificates were already generated. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521 Signed-off-by: Antonio Torres antorres@redhat.com --- raddb/certs/README | 16 ++++++---------- raddb/certs/bootstrap | 18 ++++++++++++------ 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/raddb/certs/README b/raddb/certs/README index 6288921da1..32413964dd 100644 --- a/raddb/certs/README +++ b/raddb/certs/README @@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS. If FreeRADIUS was configured to use OpenSSL, then simply starting -the server in root in debugging mode should also create test -certificates, i.e.: +the server in root mode should also create test certificates. -$ radiusd -X - - That will cause the EAP-TLS module to run the "bootstrap" script in -this directory. The script will be executed only once, the first time -the server has been installed on a particular machine. This bootstrap -script SHOULD be run on installation of any pre-built binary package -for your OS. In any case, the script will ensure that it is not run -twice, and that it does not over-write any existing certificates. + The start of FreeRADIUS will cause to run the "bootstrap" script. +The script will be executed during every start of FreeRADIUS via systemd but +the script will ensure that it does not overwrite any existing certificates. +Ideally, the bootstrap script file should be deleted after new testing certificates +have been generated. If you already have CA and server certificates, rename (or delete) this directory, and create a new "certs" directory containing your diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap index 0f719aafd4..92254dc936 100755 --- a/raddb/certs/bootstrap +++ b/raddb/certs/bootstrap @@ -1,12 +1,18 @@ #!/bin/sh # -# This is a wrapper script to create default certificates when the -# server first starts in debugging mode. Once the certificates have been -# created, this file should be deleted. +# Bootstrap script should be run only once. If there are already certificates +# generated, skip the execution. +# +cd `dirname $0` +if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then + exit 0 +fi + # -# Ideally, this program should be run as part of the installation of any -# binary package. The installation should also ensure that the permissions -# and owners are correct for the files generated by this script. +# This is a wrapper script to create default certificates when the +# server starts via systemd. It should also ensure that the +# permissions and owners are correct for the generated files. Once +# the certificates have been created, this file should be deleted. # # $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $ #