diff -Nrup a/raddb/mods-available/eap b/raddb/mods-available/eap --- a/raddb/mods-available/eap 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/mods-available/eap 2019-04-10 20:51:14.681446581 +0200 @@ -181,8 +181,8 @@ eap { # authenticate via EAP-TLS! This is likely not what you want. # tls-config tls-common { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -218,7 +218,7 @@ eap { # give advice which will work everywhere. Instead, # we give general guidelines. # - certificate_file = ${certdir}/server.pem + certificate_file = ${system_ssldir}/certs/radiusd.pem # Trusted Root CA list # @@ -231,7 +231,7 @@ eap { # In that case, this CA file should contain # *one* CA certificate. # - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that @@ -281,7 +281,7 @@ eap { # # openssl dhparam -out certs/dh 2048 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh # If your system doesn't have /dev/urandom, # you will need to create this file, and @@ -326,7 +326,7 @@ eap { # Check if intermediate CAs have been revoked. # check_all_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # Accept an expired Certificate Revocation List # diff -Nrup a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap --- a/raddb/mods-available/inner-eap 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/mods-available/inner-eap 2019-04-10 20:52:52.126006616 +0200 @@ -58,8 +58,8 @@ eap inner-eap { # It might work, or it might not. # tls { - private_key_password = whatever - private_key_file = ${certdir}/inner-server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/inner-radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -71,11 +71,11 @@ eap inner-eap { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/inner-server.pem + certificate_file = ${system_ssldir}/private/inner-radiusd.pem # You may want different CAs for inner and outer # certificates. If so, edit this file. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt cipher_list = "DEFAULT" @@ -87,7 +87,7 @@ eap inner-eap { # fragment_size = 1024 # Other needful things - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh random_file = /dev/urandom # CRL and OCSP things go here. See the main "eap" diff -Nrup a/raddb/mods-available/ldap b/raddb/mods-available/ldap --- a/raddb/mods-available/ldap 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/mods-available/ldap 2019-04-10 20:53:59.523394198 +0200 @@ -548,11 +548,11 @@ ldap { # using ldaps (port 636) connections # start_tls = yes -# ca_file = ${certdir}/cacert.pem +# ca_file = ${system_ssldir}/certs/ca-bundle.crt -# ca_path = ${certdir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key +# ca_path = ${local_ssldir} +# certificate_file = ${system_ssldir}/certs/radiusd.pem +# private_key_file = ${system_ssldir}/private/radiusd.key # random_file = /dev/urandom # Certificate Verification requirements. Can be: diff -Nrup a/raddb/mods-available/rest b/raddb/mods-available/rest --- a/raddb/mods-available/rest 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/mods-available/rest 2019-04-10 20:57:56.045755453 +0200 @@ -14,13 +14,13 @@ rest { # certificate chain validation. # "ca_path" (libcurl option CURLOPT_CAPATH). # Directory holding CA certificates to verify the peer with. -# ca_file = ${certdir}/cacert.pem -# ca_info_file = ${certdir}/cacert_bundle.pem -# ca_path = ${certdir} +# ca_file = ${system_ssldir}/certs/ca-bundle.crt +# ca_info_file = ${system_ssldir}/certs/ca-bundle.crt +# ca_path = ${local_ssldir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# private_key_password = "supersecret" +# certificate_file = ${system_ssldir}/certs/radiusd.pem +# private_key_file = ${system_ssldir}/private/radiusd.pem +# private_key_password = # random_file = /dev/urandom # Server certificate verification requirements. Can be: diff -Nrup a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in --- a/raddb/radiusd.conf.in 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/radiusd.conf.in 2019-04-10 21:00:50.788761973 +0200 @@ -96,8 +96,8 @@ name = radiusd # Location of config and logfiles. confdir = ${raddbdir} modconfdir = ${confdir}/mods-config -certdir = ${confdir}/certs -cadir = ${confdir}/certs +system_ssldir = /etc/pki/tls +local_ssldir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd diff -Nrup a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls --- a/raddb/sites-available/abfab-tls 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/sites-available/abfab-tls 2019-04-10 21:02:04.022183946 +0200 @@ -10,15 +10,15 @@ listen { proto = tcp tls { - private_key_password = whatever + private_key_password = # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh + private_key_file = ${system_ssldir}/private/radiusd.key + certificate_file = ${system_ssldir}/certs/radiusd.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt + dh_file = ${local_ssldir}/dh fragment_size = 8192 - ca_path = ${cadir} + ca_path = ${local_ssldir} cipher_list = "DEFAULT" cache { diff -Nrup a/raddb/sites-available/tls b/raddb/sites-available/tls --- a/raddb/sites-available/tls 2019-04-10 11:11:23.000000000 +0200 +++ b/raddb/sites-available/tls 2019-04-10 21:05:00.549201381 +0200 @@ -96,8 +96,8 @@ listen { # to refer to the "site1" sub-section of the "tls" section. # tls { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = + certificate_file = ${system_ssldir}/certs/radiusd.pem # Accept an expired Certificate Revocation List # @@ -130,7 +130,7 @@ listen { # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # # For DH cipher suites to work, you have to @@ -138,7 +138,7 @@ listen { # # openssl dhparam -out certs/dh 1024 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh # # If your system doesn't have /dev/urandom, @@ -179,7 +179,7 @@ listen { # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # # If check_cert_issuer is set, the value will @@ -400,8 +400,8 @@ home_server tls { status_check = none tls { - private_key_password = whatever - private_key_file = ${certdir}/client.pem + private_key_password = + private_key_file = ${system_ssldir}/private/client.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -413,7 +413,7 @@ home_server tls { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/client.pem + certificate_file = ${system_ssldir}/certs/client.pem # Trusted Root CA list # @@ -430,7 +430,7 @@ home_server tls { # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # # For TLS-PSK, the key should be specified @@ -452,7 +452,7 @@ home_server tls { # # openssl dhparam -out certs/dh 1024 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh random_file = /dev/urandom # @@ -480,7 +480,7 @@ home_server tls { # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # # If check_cert_issuer is set, the value will