Bug#1010159: marked as done (debian-edu-config: setup-freeradius-server create freeradius-server.crt with subjectAltNames not set)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 27 Sep 2023 08:37:42 +0000
with message-id <E1qlQ3C-00CYbq-Bx@fasolo.debian.org>
and subject line Bug#1010159: fixed in debian-edu-config 2.12.37
has caused the Debian Bug report #1010159,
regarding debian-edu-config: setup-freeradius-server create freeradius-server.crt with subjectAltNames not set
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1010159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010159
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: debian-edu-config: setup-freeradius-server create freeradius-server.crt with subjectAltNames not set
• From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
• Date: Mon, 25 Apr 2022 13:53:36 +0000
• Message-id: <20220425135336.Horde.HG8iirCmuKx5vUoRcTWJVo0@mail.das-netzwerkteam.de>

Package: debian-edu-config
Version: 2.12.20
Severity: normal

The debian-edu-config ships a script to setup a freeRadius service on TJENER. This script uses a script from bin:pkg freeradius named /usr/share/doc/freeradius/examples/certs/bootstrap

Starting with Android 11 QPR1, we must provide certificates that have a valid "domain" set. For this domain, the CN of the freeradius-server.crt file gets used (or any other value in subjectAltnames.

During the bootstrap script execution a server.csr file gets created with proper subjectAltNames extension support, but this gets losted when CA signing this .csr file. The resulting .crt file won't have subjectAltnames support and commonName will also be set to "Debian Edu freeRADIUS Server Certificate".

I have now modified the openssl .cnf files in TJENER's /etc/freeradius/3.0/certs/ in this way:

```
diff --git a/freeradius/3.0/certs/server.cnf b/freeradius/3.0/certs/server.cnf
index 271ace9..3898944 100644
--- a/freeradius/3.0/certs/server.cnf
+++ b/freeradius/3.0/certs/server.cnf
@@ -51,7 +51,7 @@ stateOrProvinceName   = Radius
 localityName           = Somewhere
 organizationName       = Debian Edu
 emailAddress           = postmaster@postoffice.intern
-commonName             = "Debian Edu freeRADIUS Server Certificate"
+commonName             = freeradius.intern

 [ v3_req ]
 basicConstraints = CA:FALSE
```

```

diff --git a/freeradius/3.0/certs/xpextensions b/freeradius/3.0/certs/xpextensions

index 70d229c..2529a45 100644
--- a/freeradius/3.0/certs/xpextensions
+++ b/freeradius/3.0/certs/xpextensions
@@ -73,3 +73,15 @@ certificatePolicies     = 1.3.6.1.4.1.40808.1.3.2
 #  to generate these certs.
 #
 # 1.3.6.1.4.1.311.17.2
+
+subjectAltName = @alt_names
+
+#  This should be a host name of the RADIUS server.
+#  Note that the host name is exchanged in EAP *before*
+#  the user machine has network access.  So the host name
+#  here doesn't really have to match anything in DNS.
+[alt_names]
+DNS.1 = freeradius.intern
+
+# NAIRealm from RFC 7585
+otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern
```

When now recreating the server.key, server.csr and server.crt files they have the subjectAltNames extension support in the .crt file and the domain is set to "freeradius.intern

I still need to get customer feedback if the new certificates work as expected on recent Android 11 devices.

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpdkxaWF383H.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

• To: 1010159-close@bugs.debian.org
• Subject: Bug#1010159: fixed in debian-edu-config 2.12.37
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 27 Sep 2023 08:37:42 +0000
• Message-id: <E1qlQ3C-00CYbq-Bx@fasolo.debian.org>
• Reply-to: Mike Gabriel <sunweaver@debian.org>

Source: debian-edu-config
Source-Version: 2.12.37
Done: Mike Gabriel <sunweaver@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010159@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Sep 2023 09:57:06 +0200
Source: debian-edu-config
Architecture: source
Version: 2.12.37
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1003192 1003728 1010159
Changes:
 debian-edu-config (2.12.37) unstable; urgency=medium
 .
   [ Guido Berhoerster ]
   * Discard excessive nullmailer logging.
     Filter out log messages coming from a client running nullmailer since it is
     very verbose and can easily fill up the filesystem under /var/log.
     (Closes: #1003728).
   * ldap-createuser-krb5: fix password prompt.
   * Disable cfengine3 systemd service.
     Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
     pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
     instead.
   * Rewrite testsuite/filesystems, add exception for /boot
     Rewrite for clarity and robustness. Add exception for /boot which may use
     ext2.
   * testsuite/ldap-{server,client}: Fix invocation of ldapsearch.
     The -h command line option has been removed, ldapsearch now only accepts a
     LDAP URI via the -H option.
     Also do not use the deprecated egrep and get rid of unnecessary wc.
     Use dig and awk instead of host and interpret the SRV record properly.
   * testsuite/ldap-client: Improve error message on PAM modules.
   * Fix remaining invocations of ldapsearch.
   * Disable using the LDAP PAM module (we use pam_krb5.so instead).
   * setup-freeradius-server: Set commonName and subjectAltNames on the server
     cert.
     (Closes: #1010159).
   * setup-freeradius-server: Improve robustness
     Use update-ini-file for OpenSSL config files.
     Use more precise sed substitutions which do not rely on example values.
     Increase password length from 8 to 16 characters.
   * Change minimum UID/GID for LDAP user to 2000 (Closes: #1003192)
     With this change local user accounts now use the UID/GID range 1000-1999
     instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
     1000-59999.  This is to reserve UID/GID 0-999 for system users which is the
     default in Debian and not conforming to it is increasingly problematic as
     packages are beginning to use systemd-sysusers for creating system user
     accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
     The first user account created during installation now has UID/GID 2000 instead
     of 1000.
     Configure gosa and adjust ldap-createuser-krb5 accordingly.
Checksums-Sha1:
 b2aed5584e2046efa8ae90f7c0ac0324f8d5e264 2017 debian-edu-config_2.12.37.dsc
 5fbe3ae49c4192a5a8ca9855bc131b9ad1554448 358716 debian-edu-config_2.12.37.tar.xz
 8339b9c11d48a3efe2dc5108b030ef0e627cef4b 6733 debian-edu-config_2.12.37_source.buildinfo
Checksums-Sha256:
 89e1cc143542170a2cfb9b9c28efc0349dff0f1302751c537e322943487f4945 2017 debian-edu-config_2.12.37.dsc
 6a0083dba3249f99e16ad42dc1231d39d746405febcdd2c2d9cad84821967216 358716 debian-edu-config_2.12.37.tar.xz
 793fc1e6a4fb52ddd871046f688b6c5864b51087105d74e12036b34f01a5a479 6733 debian-edu-config_2.12.37_source.buildinfo
Files:
 629a246d67534fd26ab957a7fe595cf2 2017 misc optional debian-edu-config_2.12.37.dsc
 66f896135003612b3181653f25ed9085 358716 misc optional debian-edu-config_2.12.37.tar.xz
 a276140da55dbf315844ba3feb29d117 6733 misc optional debian-edu-config_2.12.37_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmUT4HIVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgscP/09Hzar4xOA7XTDP8he6JuLhPhaU
VgULaiwOrByuwcFf/sLC1rMMjGc1qqA0puSNCOWnSwmEFze82zaf7LYeShGHyw9U
tCsfdgSXzbvfkN117dYNy+6Rks3domRftzh5ijHD9xvmuPjeWQ8zhU3jlmBtfbDZ
n5W6bE7zmwKY1aVKoD2rpR0Vpz1uIxpUmKBUf3UDO+YQl/sOvhA5kXEo2KVVbJ/z
xsM1ygqXDcuWV/BuWk0uf54F101pR/RVO5vLjzS34n6G5t0aZuQhYFh7ICMgNBzA
KWRwzG/o3JRTFxnzd7lPzkQsotPSQXCxrY88IOx5fkw+fM1/7N+VmApnsK+H3D/w
vA+7rTwpKqXat816aGcpXK3wOYVxR0BnM38eW/6guHF8nEvIgH3n54Ux+7QBuKR3
5G8xqKRUKRAIywclRDtFTr1SbNBzmgAhZ0l6IzO3UUVvlpcz1sPSju4oLNxv7Mgz
vCr03cOZKi3vk6PmBspH4kVIDghmUiPt1NVsZOsdC0oEICxTW35z+YSlUoAw2uGp
MPF0OhuySqYZEcGn71ThW9vJGLubv+6hs6qxqX919PfJRcWovh7I5FlstmqYFVNi
qTzhWvJowe086DkfKa5r5NS//mOguX1C/VZ/KTQWvQ2i+IwxkaSgBUi2Aeg/JAX8
ngbKQ8289o4/35Uh
=LSZJ
-----END PGP SIGNATURE-----

--- End Message ---