Help with Certificates

Alan DeKok aland at deployingradius.com
Thu Aug 10 10:50:12 CEST 2017


On Aug 10, 2017, at 10:18 AM, Arron Fox <arronf at hotmail.com> wrote:
> 
> I have read many articles, tried various things and now going round in circles. Is anyone able to point me in the right direction, which certificate has expired. When I checked them they are valid?

  Where did you get these certificates?  How did you configure them in FreeRADIUS?

> rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to ldap.prom.co.uk:389
> TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be found in the database - error -8174:security library: bad database..

  i.e. it's an *openldap* issue,  Because the certificates are in the OpenLDAP configuration.

  And if you're getting a "bad database" error, you should likely fix that.  It's often the case that one error will create subsequent ones.  If you only look at the later errors, you won't fix the real cause of the problem.

> TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from PEM file.
> TLS: no unlocked certificate for certificate 'E=radius at domainA.co.uk,CN=domainA.dmz.local,OU=Company,O=Radius,L=Newbury,ST=Berkshire,C=GB'.
> TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has expired..
> TLS: error: connect - force handshake failure: errno 21 - moznss error -8174

  This won't work.  Ever.

  RedHat, etc. provides libldap which links to NSS.  FreeRADIUS uses OpenSSL.  The two just aren't compatible.

  You will need to install a version of libldap which uses OpenSSL.

> TLS: can't connect: TLS error -8174:security library: bad database..
> rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool
> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

  These errors are being produced by the OpenLDAP client library.  It doesn't like the certificates.

  As for why... ask the OpenLDAP people.

  Alan DeKok.





More information about the Freeradius-Users mailing list