> I've configured mods-enabled/eap using a private_key_password with a length of 20 characters.
> Starting in debug mode I get error messages :
> tls: Failed reading private key file "/etc/raddb/certs/oslo-radius01v4-test.nsc.no.pem"
> tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
> tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
> tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
> tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> rlm_eap_tls: Failed initializing SSL context
> rlm_eap (EAP): Failed to initialise rlm_eap_tls
> /etc/raddb/mods-enabled/eap: Instantiation failed for module "eap"
Weird. There is no limit on the length of the private_key_password.
Are there special characters in it? You might need to quote the password, and escape things. i.e. instead of:
private_key_password = abcd'def
private_key_password = "abc'def"
> If I comment out the private_key_password statement I'm prompted for the password instead :
> Enter PEM pass phrase:
> Using the same password as specified in private_key_password the startup seems to start ok.
> Any suggestions ?
We just read the password from the configuration file and pass it to OpenSSL. There's very little processing done by us.
Used keepass to store passphrase and managed to use autotype to enter passphrase when generating keys. This added some spaces in front of the passphrase itself without me noticing it.
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+per.weisteen=[hidden email]> On Behalf Of
> Alan DeKok
> Sent: 23. august 2020 22:49
> To: FreeRadius users mailing list <[hidden email]>
> Subject: Re: Error starting radiusd when specifying private_key_password
> On Aug 23, 2020, at 3:49 PM, [hidden email] wrote:
> > No special characters, just upper/lower case and numbers. Tried with
> quotes though but that didn't work any better.
> That's not good.
> > Could I increase debug level and get some more details on the error ?
> Not really. We just take the password from the configuration file, and pass
> it directly to OpenSSL. There's really very little which can go wrong here.
> Alan DeKok.
> List info/subscribe/unsubscribe? See