Description: Use snakeoil certificates. Author: Michael Stapelberg Last-Updated: 2016-09-16 Forwarded: not-needed --- --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -176,7 +176,7 @@ # tls-config tls-common { private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key # If Private key & Certificate are located in # the same file, then private_key_file & @@ -212,7 +212,7 @@ # give advice which will work everywhere. Instead, # we give general guidelines. # - certificate_file = ${certdir}/server.pem + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem # Trusted Root CA list # @@ -225,7 +225,7 @@ # In that case, this CA file should contain # *one* CA certificate. # - ca_file = ${cadir}/ca.pem + ca_file = /etc/ssl/certs/ca-certificates.crt # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that --- a/raddb/mods-available/inner-eap +++ b/raddb/mods-available/inner-eap @@ -59,7 +59,7 @@ # tls { private_key_password = whatever - private_key_file = ${certdir}/inner-server.pem + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key # If Private key & Certificate are located in # the same file, then private_key_file & @@ -71,11 +71,11 @@ # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/inner-server.pem + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem # You may want different CAs for inner and outer # certificates. If so, edit this file. - ca_file = ${cadir}/ca.pem + ca_file = /etc/ssl/certs/ca-certificates.crt cipher_list = "DEFAULT" --- a/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls @@ -14,9 +14,9 @@ private_key_password = whatever # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + ca_file = /etc/ssl/certs/ca-certificates.crt dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -161,7 +161,7 @@ # tls { private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key # Accept an expired Certificate Revocation List # @@ -177,7 +177,7 @@ # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/server.pem + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem # Trusted Root CA list # @@ -194,7 +194,7 @@ # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = /etc/ssl/certs/ca-certificates.crt # For DH cipher suites to work in OpenSSL < 1.1.0, # you have to run OpenSSL to create the DH file @@ -551,7 +551,7 @@ # hostname = "example.com" private_key_password = whatever - private_key_file = ${certdir}/client.pem + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key # If Private key & Certificate are located in # the same file, then private_key_file & @@ -563,7 +563,7 @@ # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/client.pem + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem # Trusted Root CA list # @@ -580,7 +580,7 @@ # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = /etc/ssl/certs/ca-certificates.crt # # Before version 3.2.1, outbound RadSec connections