Hi, nobody knows how setup freeradius to check new CRL lists? Should I provide more information (it is not easy to take output from radiusd -X, but if it is essential I can try it)? Thank you for any suggestion — Martin Čmelík 2011/11/10 Martin Čmelík <martin.cmelik@gmail.com>:
Hi,
I downloaded current stable freeradius version 2.1.12 and import configuration from old server (rewrite etc/raddb). Everything seems to be OK, but I must now add another two trusted CAs into ca.pem and also enable checking against CRL files as for other.
Lets say that eap.conf is setup by default:
tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random check_crl = yes CA_path = ${cadir} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" }
One of our script downloading CRL files every 20 minutes, move them to certs directory and c_rehash them.
It works for old certificates (4x CAs) but doesn't work for two which I add now.
When somebody with certificate issued by new CA try to login I see this error in log:
Thu Nov 10 12:56:51 2011 : Error: --> verify error:num=3:unable to get certificate CRL Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get certificate CRL): [John Smith] (from client some-device port 29 cli AA-BB-CC-DD-EE-FF)
Hash are generated well:
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 21e0d39d.r0 -> crl3.pem lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 3cc8c9a0.r0 -> crl6.pem lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 5a64316f.0 -> radius.crt lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 5be750ed.r0 -> crl2.pem lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 68db0f86.0 -> radius.pem lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 92b2a332.r0 -> crl5.pem lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 b0f3e76e.r0 -> crl4.pem lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 f31b716b.r0 -> crl1.pem lrwxrwxrwx 1 radius radius 6 Nov 10 16:19 f6efabfa.0 -> ca.pem
...
My question is: How freeradius find correct CRL list and check if user certificate is still valid?
This radius server has been setup by colleague many years ago and he cant remember how he do this :]
Thank you very much because there is lack of any information about it on Internet
— Martin Čmelík