Freeradius not taking new ACME certificate

Gertjan

@mkcharlie said in Freeradius not taking new ACME certificate:

why: our client devices have been configured to only accept PEAP certificates of trusted providers.

I think there is a solution.

First : Check "Write Certificates" here :

so from now on, the latest, renewed certificates and other files will be available in /cf/conf/acme/
For me, this is the case : I found 5 files :

[23.01-RELEASE][root@pfSense.near.by]/usr/local/etc/raddb/certs: ls -al /cf/conf/acme/
total 68
drwxr-xr-x  2 root  wheel     7 Jan 18 18:49 .
drwxr-xr-x  5 root  wheel    35 Apr 27 14:43 ..
-rw-r--r--  1 root  wheel  7309 Feb 27 15:09 V2_near.by.all.pem
-rw-r--r--  1 root  wheel  1826 Feb 27 15:09 V2_near.by.ca
-rw-r--r--  1 root  wheel  2236 Feb 27 15:09 V2_near.by.crt
-rw-r--r--  1 root  wheel  4062 Feb 27 15:09 V2_near.by.fullchain
-rw-r--r--  1 root  wheel  3247 Feb 27 15:09 V2_near.by.key

Next thing to find out : where are the certificate files that Freeradius needs (selected in the GUI) :
They are here :

[23.01-RELEASE][root@pfSense.near.by]/usr/local/etc/raddb/certs: ls -al
total 89
drwxr-xr-x   2 root  wheel    17 Feb 17 08:38 .
drwxr-xr-x  10 root  wheel    23 Feb 17 08:38 ..
-rw-r--r--   1 root  wheel  4559 Feb 17 08:38 01.pem
-rw-r--r--   1 root  wheel  4408 Feb 17 08:38 02.pem
-rw-r-----   1 root  wheel  6465 Feb 17 08:38 Makefile
-rw-r-----   1 root  wheel  8010 Feb 17 08:38 README.md
-rwxr-x---   1 root  wheel  2798 Feb 17 08:38 bootstrap
-rw-r--r--   1 root  wheel   478 Feb 17 08:38 ca.crl
-rw-r--r--   1 root  wheel  1680 Apr 27 14:43 ca_cert.pem
-rw-r--r--   1 root  wheel  1704 Apr 27 14:43 ca_key.pem
-rw-r--r--   1 root  wheel   424 Feb 17 08:38 dh
-rw-r--r--   1 root  wheel   166 Feb 17 08:38 passwords.mk
-rw-r--r--   1 root  wheel  3503 Apr 27 14:43 server_cert.pem
-rw-r--r--   1 root  wheel  1704 Apr 27 14:43 server_key.pem
-rw-r-----   1 root  wheel  2581 Feb 17 08:38 user@example.org.p12
-rw-r-----   1 root  wheel  3687 Feb 17 08:38 user@example.org.pem
-rw-r-----   1 root  wheel  3046 Feb 17 08:38 xpextensions

Important are :
server_key.pem
server_cert.pem
ca_cert.pem

I know this because I looked here : /usr/local/etc/ raddb/mods-enabled/eap (remember : opensource : you have the manual of everything)

Now, 'all' you have to do is, write a shell script called /root/kick-radiusd.sh - and put this '/root/kick-radiusd.sh' on the list with action to execute when a certificate renewal has taken place :

Here we go :

#!/usr/local/bin/bash
cp -f /cf/conf/acme/V2_near.by.key /usr/local/etc/raddb/certs/server_key.pem
cp -f /cf/conf/acme/V2_near.by.crt /usr/local/etc/raddb/certs/server_cert.pem
cp -f /cf/conf/acme/V2_near.by.ca /usr/local/etc/raddb/certs/ca_cert.pem
service radiusd stop
service radiusd onestart

Add a

chmod +x /root/kick-radiusd.sh

for good manners.

Before you start/use this script, I advise you to compare the source and destination of the 3 files : they should be the same, right now, because you assigned them already to Freeradius.

The idea is easy to understand :
When a cert change (renewal) happens, the new crt/key/ca files are dispo.
The scripts copies them over.
Restart radius
Done ;)

Btw : please, even if you think it works : test !
I've executed the script myself, and found freeradius was running ... and authentication continued ...
But I've not the same 'eap' file settings as you (I think).

Your friends are :
/var/log/radius.log
and the command radsniff

johnpoz

@gertjan isn't this already like a documented thing to have to do when you change the certs, I have this for my haproxy for example when the certs using there get updated by acme

Gertjan

@johnpoz said in Freeradius not taking new ACME certificate:

haproxy

Can't tell, as I don't have / use haproxy.
The radius(.sh) process control file does only wha it paid to do : start stop retart the process. It presumes all config files are fine.

That why I added the 3 copy lines.

mkcharlie

@gertjan
Thanks, I was trying that and suddenly I thought about your comment of having the manual of everything.

So I looked at https://github.com/pfsense/FreeBSD-ports/blob/3c5dd718f5947beffa173aa72c3f72478af9fbea/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc and thought of simply running the freeradius_settings_resync() command. It's there, and it's probably doing what you say but potentially more future-proof and more complete.

So I now have set up the following:

Seems to work at first sight, but still, proof of the pudding will be in the eating. What do you think?

Gertjan

@mkcharlie

I was looking at that function, with the same thoughts.
I decided to 'copy' because nothing has to be changed realy, just the content of the 3 cert files had to get updated with the new content.

Your solution looks more 'clean', I agree.

mkcharlie

@Gertjan seems 23.01 changed behind the scenes. The above was crashing. I had to remove the 'exec' keyword since it threw an error

[29-May-2023 03:16:38 Europe/Brussels] PHP Fatal error:  Uncaught Error: Undefined constant "exec" in /usr/local/pkg/acme/acme_command.sh(61) : eval()'d code:1

Without the exec keyword, it seems to work fine. I have no idea what changed. Let's hope it keeps on working after upgrading to 23.05.

Gertjan

@mkcharlie said in Freeradius not taking new ACME certificate:

I had to remove the 'exec' keyword since it threw an error

Remove from where ?
Here :

?

The error says that the PHP eval function, while evaluation (== executing) discoverer a non valid PHP instruction : 'exec' : it bailed out.

mkcharlie

@Gertjan said in Freeradius not taking new ACME certificate:

@mkcharlie said in Freeradius not taking new ACME certificate:

I had to remove the 'exec' keyword since it threw an error

Remove from where ?
Here :

?

The error says that the PHP eval function, while evaluation (== executing) discoverer a non valid PHP instruction : 'exec' : it bailed out.

Correct, there.
So I suppose the execute function is now built in the acme, so you do not have to specify it.

Gertjan

@mkcharlie said in Freeradius not taking new ACME certificate:

So I suppose the execute function is now built in the acme, so you do not have to specify it.

It works like this :
Line 61 becomes :
eval ("require_once('/usr/local/pkg/freeradius.inc'); freeradius_settings_rysync();");

"exec" is not a recognized PHP command : so => error.

The issue was not acme related, but your own PHP 'mini' script

abhamit533

There’s nothing more expensive about providing a wildcard.

But, if they were the same price nobody would buy a single domain certificate, because it would be simpler and as cheap to buy the wildcard.

People who provide certificates have invested time and money to be in that club. Therefore they want to get back as much as they can from selling them. People are willing to pay more for wildcards so they are charged more. It’s just ordinary economics.