[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/ldap-uid-gid] 2 commits: setup-freeradius-server: Set commonName and subjectAltNames on the server cert

Guido Berhörster (@gber) gitlab at salsa.debian.org
Mon Sep 25 16:56:27 BST 2023



Guido Berhörster pushed to branch personal/gber/ldap-uid-gid at Debian Edu / debian-edu-config


Commits:
8420e6d8 by Guido Berhoerster at 2023-09-25T14:07:51+02:00
setup-freeradius-server: Set commonName and subjectAltNames on the server cert

- - - - -
036bd864 by Guido Berhoerster at 2023-09-25T17:56:07+02:00
setup-freeradius-server: Improve robustness

Use update-ini-file for OpenSSL config files.
Use more precise sed substitutions which do not rely on example values.
Increase password length from 8 to 16 characters.

- - - - -


1 changed file:

- share/debian-edu-config/tools/setup-freeradius-server


Changes:

=====================================
share/debian-edu-config/tools/setup-freeradius-server
=====================================
@@ -115,31 +115,75 @@ cd -
 service freeradius stop
 
 # Generate freeRADIUS specific CA and server certificates and make them available.
-chmod +x bootstrap
-PASSWORD="$(pwgen -1)"
-
-for i in *.cnf xpextensions ; do
-	sed -i "s#whatever#$PASSWORD#g" $i
-	sed -i 's#FR#NO#g' $i
-	sed -i 's#Example Inc.#Debian Edu#g' $i
-	sed -i 's#admin at example.org#postmaster at postoffice.intern#g' $i
-	sed -i 's#user at example.org#user at postoffice.intern#g' $i
-	sed -i 's#example.org/example#intern/intern#g' $i
-	sed -i 's#example.com/example#intern/intern#g' $i
-	sed -i 's#Example S#Debian Edu freeRADIUS S#g' $i
-	sed -i 's#Example C#Debian Edu freeRADIUS C#g' $i
-	sed -i 's#*example.com#*intern#g' $i
-	sed -i 's#radius.example.com#freeradius.intern#g' $i
-	sed -i 's#= 60#= 3650#g' $i
-	sed -i 's#Example Inner S#Debian Edu freeRADIUS Inner S#g' $i
-done
-
-sed -i "s#whatever#$PASSWORD#g" ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.pem#freeradius-server.crt#' ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.key#freeradius-server.key#' ../mods-available/eap
-sed -i 's#ca-certificates.crt#freeradius-ca.crt#' ../mods-available/eap
-
-./bootstrap
+PASSWORD="$(pwgen -1 16)"
+
+update-ini-file ca.cnf           req input_password "${PASSWORD}"
+update-ini-file client.cnf       req input_password "${PASSWORD}"
+update-ini-file inner-server.cnf req input_password "${PASSWORD}"
+update-ini-file server.cnf       req input_password "${PASSWORD}"
+
+update-ini-file ca.cnf           req output_password "${PASSWORD}"
+update-ini-file client.cnf       req output_password "${PASSWORD}"
+update-ini-file inner-server.cnf req output_password "${PASSWORD}"
+update-ini-file server.cnf       req output_password "${PASSWORD}"
+
+update-ini-file ca.cnf           certificate_authority countryName NO
+update-ini-file client.cnf       client countryName NO
+update-ini-file inner-server.cnf server countryName NO
+update-ini-file server.cnf       server countryName NO
+
+update-ini-file ca.cnf           certificate_authority organizationName "Debian Edu"
+update-ini-file client.cnf       client organizationName "Debian Edu"
+update-ini-file inner-server.cnf server organizationName "Debian Edu"
+update-ini-file server.cnf       server organizationName "Debian Edu"
+
+update-ini-file xpextensions     xpclient_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file xpextensions     xpserver_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf           CA_default   crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf           v3_ca        crlDistributionPoints URI:http://www.intern/intern_ca.crl
+
+update-ini-file ca.cnf           certificate_authority emailAddress postmaster at postoffice.intern
+update-ini-file inner-server.cnf server emailAddress postmaster at postoffice.intern
+update-ini-file server.cnf       server emailAddress postmaster at postoffice.intern
+
+update-ini-file client.cnf       client commonName   user at postoffice.intern
+update-ini-file client.cnf       client emailAddress user at postoffice.intern
+
+update-ini-file ca.cnf           certificate_authority commonName '"Debian Edu freeRADIUS Certificate Authority"'
+update-ini-file server.cnf       server commonName freeradius.intern
+
+update-ini-file server.cnf       alt_names DNS.1 freeradius.intern
+
+update-ini-file ca.cnf           CA_default default_days 3650
+update-ini-file client.cnf       CA_default default_days 3650
+update-ini-file inner-server.cnf CA_default default_days 3650
+update-ini-file server.cnf       CA_default default_days 3650
+
+update-ini-file inner-server.cnf server commonName '"Debian Edu freeRADIUS Inner Server Certificate"'
+
+grep -q '^[[:blank:]]*subjectAltName[[:blank:]=]' xpextensions || cat >>xpextensions <<'EOF'
+
+subjectAltName = @alt_names
+
+#  This should be a host name of the RADIUS server.
+#  Note that the host name is exchanged in EAP *before*
+#  the user machine has network access.  So the host name
+#  here doesn't really have to match anything in DNS.
+[alt_names]
+DNS.1 = freeradius.intern
+
+# NAIRealm from RFC 7585
+otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern
+EOF
+
+sed -i \
+    -e "/^[[:blank:]]*private_key_password[[:blank:]=]/s#=.*#= $PASSWORD#g" \
+    -e '/^[[:blank:]]*certificate_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-server.crt#g' \
+    -e '/^[[:blank:]]*private_key_file[[:blank:]=]/s#=.*#= /etc/ssl/private/freeradius-server.key#g' \
+    -e '/^[[:blank:]]*ca_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-ca.crt#g' \
+    ../mods-available/eap
+
+sh ./bootstrap
 
 chmod 644 dh server.crt server.pem ca.pem ca.der
 chmod 640 server.key
@@ -157,8 +201,6 @@ fi
 # Cleanup the certs dir.
 make clean
 
-chmod -x bootstrap
-
 # Start the configured freeRADIUS service and give some feedback.
 service freeradius start
 



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a862d51219925be91ef4e9fcc6cb3db8b4b2c161...036bd8644303aad45182e56cf120f95538879174

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a862d51219925be91ef4e9fcc6cb3db8b4b2c161...036bd8644303aad45182e56cf120f95538879174
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230925/0e7995f9/attachment-0001.htm>


More information about the debian-edu-commits mailing list