[defect]: Broken upgrade path from 3.2.1-1 to 3.2.5-1 or 3.2.6-1

[bmcjarrow]

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

• Setup your own repository or ones provided by the project owners:
  yum --showduplicates search freeradius
• Now start the first install of version 3.2.1-1:
  yum install freeradius-utils-3.2.1-1.el8.x86_64 freeradius-config-3.2.1-1.el8.x86_64 freeradius-3.2.1-1.el8.x86_64
• Run the radiusd using standard configs:
  runuser -u radiusd -- /usr/sbin/radiusd -d /etc/raddb -X -x
• Server should start normally:
• Now upgrade to the next version 3.2.3-2:
  yum install freeradius-utils-3.2.3-2.el8.x86_64 freeradius-config-3.2.3-2.el8.x86_64 freeradius-3.2.3-2.el8.x86_64
• Immediately afterwards run the radiusd
  runuser -u radiusd -- /usr/sbin/radiusd -d /etc/raddb -X -x
• Server should start normally:
• Now upgrade to the next version 3.2.5-1 or 3.2.6-1:
  yum install freeradius-utils-3.2.5-1.el8.x86_64 freeradius-config-3.2.5-1.el8.x86_64 freeradius-3.2.5-1.el8.x86_64 RPM/perl-* #(local Perl dependencies:- perl-Sub-Uplevel-0.2800-4.el8.noarch.rpm perl-Test-Exception-0.43-7.el8.noarch.rpm) or yum install freeradius-utils-3.2.6-1.el8.x86_64 freeradius-config-3.2.6-1.el8.x86_64 freeradius-3.2.6-1.el8.x86_64
• Immediately afterwards run the radiusd
  runuser -u radiusd -- /usr/sbin/radiusd -d /etc/raddb -X -x

The 3.2.5-1 and 3.2.6-1 packages seem to remove the contents from /etc/raddb/certs when they should remain untouched (noreplace)

Log output from the FreeRADIUS daemon

Common output from both versions:
Wed Oct 23 18:47:43 2024 : Debug:    tls-config tls-common {
Wed Oct 23 18:47:43 2024 : Debug:       verify_depth = 0
Wed Oct 23 18:47:43 2024 : Debug:       ca_path = "/etc/raddb/certs"
Wed Oct 23 18:47:43 2024 : Debug:       pem_file_type = yes
Wed Oct 23 18:47:43 2024 : Debug:       private_key_file = "/etc/raddb/certs/server.pem"
Wed Oct 23 18:47:43 2024 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
Wed Oct 23 18:47:43 2024 : Error: /etc/raddb/mods-enabled/eap[199]: Failed parsing configuration item "private_key_file"
Wed Oct 23 18:47:43 2024 : Error: rlm_eap_tls: Failed initializing SSL context
Wed Oct 23 18:47:43 2024 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Wed Oct 23 18:47:43 2024 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response

[bmcjarrow]

Further testing has highlighted the following issue on the 3.2.x releases:

• Defect only exists if upgrading from 3.2.3-2 or earlier to any later release starting from 3.2.4-1.
• Defect does not exist if upgrading from 3.2.4-1 or later fresh install to a later release.

Possibly related to redhat/freeradius.spec attribute changes for the certs between 3.2.3-2 and 3.2.4-1, run a diff to see.

[bmcjarrow]

The older packages contained the self generated certificates samples which allowed the defaults to work (eap).
From 3.2.4-1 these sample certs are not stored in or copied to the certs folder.
The work around is to either run the bootstrap script or provide your own certs:
What is puzzling is that the folder is overwritten regardless if the certs exist?

[bmcjarrow]

Updates from 3.2.4-1 and later work fine.
Closing bug as there is a work around.