wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
aland@deployingradius.com>
napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0 Can you share what version of openssl should be used? If that makes difference? Maciej