diff -Nrup a/raddb/mods-available/eap b/raddb/mods-available/eap --- a/raddb/mods-available/eap 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/mods-available/eap 2021-06-07 16:31:30.703235343 +0200 @@ -175,8 +175,8 @@ eap { # authenticate via EAP-TLS! This is likely not what you want. # tls-config tls-common { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -212,7 +212,7 @@ eap { # give advice which will work everywhere. Instead, # we give general guidelines. # - certificate_file = ${certdir}/server.pem + certificate_file = ${system_ssldir}/certs/radiusd.pem # Trusted Root CA list # @@ -225,7 +225,7 @@ eap { # In that case, this CA file should contain # *one* CA certificate. # - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that @@ -275,7 +275,7 @@ eap { # For OpenSSL >= 1.1.0, just leave this commented # out, and OpenSSL will do the right thing. # - # dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh # If your system doesn't have /dev/urandom, # you will need to create this file, and @@ -320,7 +320,7 @@ eap { # Check if intermediate CAs have been revoked. # check_all_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # OpenSSL does not reload contents of ca_path dir over time. # That means that if check_crl is enabled and CRLs are loaded diff -Nrup a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap --- a/raddb/mods-available/inner-eap 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/mods-available/inner-eap 2021-06-07 16:32:54.449951369 +0200 @@ -58,8 +58,8 @@ eap inner-eap { # It might work, or it might not. # tls { - private_key_password = whatever - private_key_file = ${certdir}/inner-server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/inner-radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -71,11 +71,11 @@ eap inner-eap { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/inner-server.pem + certificate_file = ${system_ssldir}/private/inner-radiusd.pem # You may want different CAs for inner and outer # certificates. If so, edit this file. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt cipher_list = "DEFAULT" @@ -87,7 +87,7 @@ eap inner-eap { # fragment_size = 1024 # Other needful things - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh random_file = /dev/urandom # CRL and OCSP things go here. See the main "eap" diff -Nrup a/raddb/mods-available/ldap b/raddb/mods-available/ldap --- a/raddb/mods-available/ldap 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/mods-available/ldap 2021-06-07 16:33:58.483497650 +0200 @@ -569,11 +569,11 @@ ldap { # using ldaps (port 636) connections # start_tls = yes -# ca_file = ${certdir}/cacert.pem +# ca_file = ${system_ssldir}/certs/ca-bundle.crt -# ca_path = ${certdir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key +# ca_path = ${local_ssldir} +# certificate_file = ${system_ssldir}/certs/radiusd.pem +# private_key_file = ${system_ssldir}/private/radiusd.key # random_file = /dev/urandom # Certificate Verification requirements. Can be: diff -Nrup a/raddb/mods-available/rest b/raddb/mods-available/rest --- a/raddb/mods-available/rest 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/mods-available/rest 2021-06-07 16:35:17.600171375 +0200 @@ -14,13 +14,13 @@ rest { # certificate chain validation. # "ca_path" (libcurl option CURLOPT_CAPATH). # Directory holding CA certificates to verify the peer with. -# ca_file = ${certdir}/cacert.pem -# ca_info_file = ${certdir}/cacert_bundle.pem -# ca_path = ${certdir} +# ca_file = ${system_ssldir}/certs/ca-bundle.crt +# ca_info_file = ${system_ssldir}/certs/ca-bundle.crt +# ca_path = ${local_ssldir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# private_key_password = "supersecret" +# certificate_file = ${system_ssldir}/certs/radiusd.pem +# private_key_file = ${system_ssldir}/private/radiusd.pem +# private_key_password = # random_file = /dev/urandom # Server certificate verification requirements. Can be: diff -Nrup a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in --- a/raddb/radiusd.conf.in 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/radiusd.conf.in 2021-06-07 16:36:46.788929456 +0200 @@ -96,9 +96,9 @@ name = radiusd # Location of config and logfiles. confdir = ${raddbdir} modconfdir = ${confdir}/mods-config -certdir = ${confdir}/certs -cadir = ${confdir}/certs -run_dir = ${localstatedir}/run/${name} +system_ssldir = /etc/pki/tls +local_ssldir = ${confdir}/certs +run_dir = /run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} diff -Nrup a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls --- a/raddb/sites-available/abfab-tls 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/sites-available/abfab-tls 2021-06-07 16:39:56.488537899 +0200 @@ -11,15 +11,15 @@ listen { tls { tls_min_version = "1.2" - private_key_password = whatever + private_key_password = # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh + private_key_file = ${system_ssldir}/private/radiusd.key + certificate_file = ${system_ssldir}/certs/radiusd.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt + dh_file = ${local_ssldir}/dh fragment_size = 8192 - ca_path = ${cadir} + ca_path = ${local_ssldir} cipher_list = "DEFAULT" cache { enable = no @@ -49,15 +49,15 @@ listen { tls { tls_min_version = "1.2" - private_key_password = whatever + private_key_password = # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh + private_key_file = ${system_ssldir}/private/radiusd.key + certificate_file = ${system_ssldir}/certs/radiusd.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt + dh_file = ${local_ssldir}/dh fragment_size = 8192 - ca_path = ${cadir} + ca_path = ${local_ssldir} cipher_list = "DEFAULT" cache { enable = no diff -Nrup a/raddb/sites-available/tls b/raddb/sites-available/tls --- a/raddb/sites-available/tls 2021-05-17 15:01:45.000000000 +0200 +++ b/raddb/sites-available/tls 2021-06-07 16:43:59.728594665 +0200 @@ -137,8 +137,8 @@ listen { # to refer to the "site1" sub-section of the "tls" section. # tls { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = + certificate_file = ${system_ssldir}/certs/radiusd.pem # Accept an expired Certificate Revocation List # @@ -171,7 +171,7 @@ listen { # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # For DH cipher suites to work in OpenSSL < 1.1.0, # you have to run OpenSSL to create the DH file @@ -179,7 +179,7 @@ listen { # For OpenSSL >= 1.1.0, just leave this commented # out, and OpenSSL will do the right thing. # - # dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh # # If your system doesn't have /dev/urandom, @@ -220,7 +220,7 @@ listen { # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # OpenSSL does not reload contents of ca_path dir over time. # That means that if check_crl is enabled and CRLs are loaded @@ -475,8 +475,8 @@ home_server tls { # # hostname = "example.com" - private_key_password = whatever - private_key_file = ${certdir}/client.pem + private_key_password = + private_key_file = ${system_ssldir}/private/client.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -488,7 +488,7 @@ home_server tls { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/client.pem + certificate_file = ${system_ssldir}/certs/client.pem # Trusted Root CA list # @@ -505,7 +505,7 @@ home_server tls { # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # # For TLS-PSK, the key should be specified @@ -527,7 +527,7 @@ home_server tls { # # openssl dhparam -out certs/dh 1024 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh random_file = /dev/urandom # @@ -555,7 +555,7 @@ home_server tls { # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # # If check_cert_issuer is set, the value will