On 12/4/24 10:40, Alan DeKok wrote:
On Dec 4, 2024, at 11:53 AM, Orion Poplawski <orion@nwra.com> wrote:
I think it is just having trouble with ocsp checks of certs issued by the older AD CA cert. Here is a successful check of an IPA issued cert: .. It also has the message about untrusted certs (although it also mentions the CA cert - so maybe the windows clients don't provide it?), so that does not seem particularly relevant. I guess the key then is:
(14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response
But why? openssl doesn't complain:
We call an OpenSSL function to do the OCSP verification, and that function returns "failed". Why? OpenSSL magic.
i.e. OpenSSL doesn't give FreeRADIUS any reason why. There's just a "failed" response. No error result, nothing useful which we can print.
$ openssl ocsp -issuer /etc/pki/ca-trust/source/anchors/ad.nwra.com.crt -cert orionad.crt -url http://ocsp.ad.nwra.com/ocsp Response verify OK orionad.crt: good This Update: Dec 3 17:50:03 2024 GMT Next Update: Dec 5 06:10:03 2024 GMT
You're passing the issuer here, though. OpenSSL needs the *entire* certificate chain for verification. If it only has an intermediate certificate, then it will fail.
So did you add the issuer certificate to the FreeRADIUS configuration? i.e. put it into "ca_path".
I have: tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/pki/tls/private/FQDN.key" certificate_file = "/etc/pki/tls/certs/FQDN.crt" ca_file = "/etc/raddb/certs/nwra_ad_ipa_ca.crt" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = yes override_cert_url = no url = "http://ocsp.ad.nwra.com/ocsp/" use_nonce = yes timeout = 0 softfail = no } } ca_file's nwra_ad_ipa_ca.crt contains all 3 of our CA certs in use. There are no intermediate certs. I did just now realize that ca_path would not have been working properly currently because openssl rehash requires all of the files there to only contain 1 cert. So I split the AD CA cert file into two, rehashed again, and tried again - but I'm still getting the same failure. lrwxrwxrwx. 1 root root 16 Dec 4 11:00 241bed0c.0 -> ad.nwra.com2.crt lrwxrwxrwx. 1 root root 15 Dec 4 11:00 241bed0c.1 -> ad.nwra.com.crt lrwxrwxrwx. 1 root root 10 Sep 1 2023 599be2cf.0 -> ipa_ca.crt (40) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response (40) eap_tls: ERROR: (TLS) ocsp: Certificate has been expired/revoked (40) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error (40) eap_tls: ERROR: (TLS) Alert write:fatal:internal error (40) eap_tls: ERROR: (TLS) Server : Error in error (40) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (40) eap_tls: ERROR: (TLS) error:13800070:OCSP routines::root ca not trusted (40) eap_tls: ERROR: (TLS) error:0A000086:SSL routines::certificate verify failed (40) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (40) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation It seems like openssl might be thinking that the signing cert used for the ocsp response might be expired/revoked, but who knows. If it really was I would have expected the openssl ocsp command to fail as well. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/