On 12/4/24 08:03, orion@nwra.com wrote:
Hello,
We setup OCSP validation on our FreeRADIUS servers a while back and it had been working great until yesterday when we started seeing errors like:
Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Alert write:fatal:internal error Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Server : Error in error Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Failed reading from OpenSSL Dec 03 14:03:09 radiusd[109894]: (437) Login incorrect (eap_tls: ocsp: Couldn't get OCSP response): [HOSTNAME]
We discovered some errors on our Windows OCSP responders due to configuration certificates expiring and resolved that.
However, even after that Windows machines are unable to authenticate. Running in debug mode we see:
 Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [0] subject name / CN=staff01.ad.nwra.com (14) eap_tls: Starting OCSP Request (14) eap_tls: WARNING: (TLS) ocsp: No OCSP URL in certificate, falling back to configured URL (14) eap_tls: ocsp: Using responder URL "http://ocsp.ad.nwra.com:80/ocsp/" (14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response (14) eap_tls: ERROR: (TLS) ocsp: Certificate has been expired/revoked (14) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error (14) eap_tls: ERROR: (TLS) Alert write:fatal:internal error (14) eap_tls: ERROR: (TLS) Server : Error in error (14) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (14) eap_tls: ERROR: (TLS) error:13800070:OCSP routines::root ca not trusted (14) eap_tls: ERROR: (TLS) error:0A000086:SSL routines::certificate verify failed (14) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (14) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (14) eap_tls: ERROR: [eaptls process] = fail (14) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
We have 3 certificates in the FreeRADIUS ca_file configuration - an AD CA cert that is expiring in about 18 months, a new AD CA cert that was issued in October, and an IPA CA cert - and that's been the case since the new AD CA cert was issued. That should cover all of the certificates issued internally, so I don't see why radiusd is complaining about an untrusted cert.
Running openssl ocsp checks against the Windows ocsp responders work fine.
I think it is just having trouble with ocsp checks of certs issued by the older AD CA cert. Here is a successful check of an IPA issued cert: Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /O=NWRA.COM/CN=Certificate Authority (TLS) untrusted certificate with depth [0] subject name /O=NWRA.COM/CN=FQDN (6) eap_tls: Starting OCSP Request (6) eap_tls: ocsp: Using responder URL "http://ipa-ca.nwra.com:80/ca/ocsp" This Update: Dec 4 15:50:19 2024 GMT (6) eap_tls: ocsp: Cert status: good (6) eap_tls: ocsp: Certificate is valid It also has the message about untrusted certs (although it also mentions the CA cert - so maybe the windows clients don't provide it?), so that does not seem particularly relevant. I guess the key then is: (14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response But why? openssl doesn't complain: $ openssl ocsp -issuer /etc/pki/ca-trust/source/anchors/ad.nwra.com.crt -cert orionad.crt -url http://ocsp.ad.nwra.com/ocsp Response verify OK orionad.crt: good This Update: Dec 3 17:50:03 2024 GMT Next Update: Dec 5 06:10:03 2024 GMT -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/