Radius Service Certificate not updating CA Certificate

[mgarrido@…]

If you activate the RADIUS service inside the Service Certificates page of Zentyal Certificate Authority you will get a non working radius setup with plenty of lines like this in your radius.log:

Tue Dec 6 11:33:01 2011 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Tue Dec 6 11:33:01 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Tue Dec 6 11:33:01 2011 : Auth: Login incorrect: [test] (from client 10.10.10.0/24 port 0 cli d85d4c99e778)

There is a simple solution, take care of the self signed certificate created by install proccess (ca.pem symlink) and create a new one pointing to Zentyal CA Certificate.

lrwxrwxrwx 1 root freerad 30 2011-12-06 12:01 ca.pem -> /var/lib/zentyal/CA/cacert.pem

lrwxrwxrwx 1 root freerad 21 2011-12-01 11:43 ca.pem.bak.pem -> /etc/ssl/certs/ca.pem

(ca.pem.bak.pem is the old symlink certificate while ca.pem is the new one)

I really think that Zentyal should create this symlink when the user activates the RADIUS service certificate.

[jsalamero@…]

According to the code this is what we do:

    if (EBox::Global->modExists('ca')) {
        my $ca = EBox::Global->modInstance('ca');
        my $model = $ca->model('Certificates');
        if ($model->isEnabledService('RADIUS')) {
            push (@params, capath => '/var/lib/zentyal/CA/cacert.pem');
        } else {
            push (@params, capath => '${cadir}/ca.pem');
        }

could you verify the value of capath eap.conf?

[mgarrido@…]

Hi again,

I'm sorry, the bug I filled was the result of a test lab I had created. once I had finished the lab and everything was working fine I destroyed it so I can't offer you any further information without recreating the lab.

Creating these certificates is the way I had solved the problem.

Sorry again and kind regards.

Miguel

[jsalamero@…]

This seem to work here, if you provide detailed steps to reproduce this we can reopen the issue.