On Feb 11, 2019, at 9:01 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
But when I transpose this into the rlm_rest config like this:
rest { tls { ca_file = ${confdir}/mods-config/rest/trustroot.pem check_cert = "yes" # doesn't work regardless if check_cert_cn is yes or no
That should work, I think.
[...]
Then I get an error message during FreeRADIUS' cert validation phase: ... (15) rest: ERROR: Request failed: 83 - Issuer check against peer certificate failed
That error is from libcurl, which we use to do the whole HTTP thing: https://curl.haxx.se/libcurl/c/libcurl-errors.html#CURLESSLISSUERERROR
(15) rest: ERROR: Server returned no data rlm_rest (rest): Released connection (0)
I don't really know what to make of "Issuer check against peer certificate failed". The root appears to be recognised, and the intermedaite chain is the expected one. So what would be failing here?
https://curl.haxx.se/libcurl/c/CURLOPT_ISSUERCERT.html Which says:
A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, which is returned if the setup of the SSL/TLS session has failed due to a mismatch with the issuer of peer certificate (CURLOPT_SSL_VERIFYPEER has to be set too for the check to fail).
So rlm_rest says "please check issuer certificate", and libcurl says "failed to validate peer". Maybe libcurl is expecting the peer cert to be signed by the CA? And instead it's signed by an intermediary CA? Try using the issuing CA instead of the root CA. Alan DeKok.