1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
Description: Use snakeoil certificates.
Author: Michael Stapelberg <stapelberg@debian.org>
Last-Updated: 2016-09-16
Forwarded: not-needed
---
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -176,7 +176,7 @@
#
tls-config tls-common {
private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -212,7 +212,7 @@
# give advice which will work everywhere. Instead,
# we give general guidelines.
#
- certificate_file = ${certdir}/server.pem
+ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Trusted Root CA list
#
@@ -225,7 +225,7 @@
# In that case, this CA file should contain
# *one* CA certificate.
#
- ca_file = ${cadir}/ca.pem
+ ca_file = /etc/ssl/certs/ca-certificates.crt
#
# Directory where multiple CAs are stored. Both
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -59,7 +59,7 @@
#
tls {
private_key_password = whatever
- private_key_file = ${certdir}/inner-server.pem
+ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -71,11 +71,11 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/inner-server.pem
+ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
- ca_file = ${cadir}/ca.pem
+ ca_file = /etc/ssl/certs/ca-certificates.crt
cipher_list = "DEFAULT"
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -14,9 +14,9 @@
private_key_password = whatever
# Moonshot tends to distribute certs separate from keys
- private_key_file = ${certdir}/server.key
- certificate_file = ${certdir}/server.pem
- ca_file = ${cadir}/ca.pem
+ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -161,7 +161,7 @@
#
tls {
private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# Accept an expired Certificate Revocation List
#
@@ -177,7 +177,7 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Trusted Root CA list
#
@@ -194,7 +194,7 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = /etc/ssl/certs/ca-certificates.crt
# For DH cipher suites to work in OpenSSL < 1.1.0,
# you have to run OpenSSL to create the DH file
@@ -551,7 +551,7 @@
# hostname = "example.com"
private_key_password = whatever
- private_key_file = ${certdir}/client.pem
+ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -563,7 +563,7 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/client.pem
+ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Trusted Root CA list
#
@@ -580,7 +580,7 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = /etc/ssl/certs/ca-certificates.crt
#
# Before version 3.2.1, outbound RadSec connections
|
