As I wrote in my first post, "openssl verify" command outputs that client certificate is trusted. I think that without specifying "-CAFile" in "openssl verify" it looks for trusted CAs in default locations. So it works with or without -CAFile (i.e default OS system CA store and custom CA store). I expect FreeRadius does the same since it uses OpenSSL. I did run strace on "openssl verify" and I saw very clearly what files are examined for trusted CAs (it extracts IssuerName from client cert, hash it and then search for filename with that hash in trusted CA stores). I tried that same approach with "strace freeradius -fxxx" + "eapol_test ..." and did not find any similar output (just accessing server certificate and key but not any other *.PEM). Regarding the debug output: that's it. All relevant attributes from client certificate are shown and then bump "Warning: Certificate chain - 1 cert(s) untrusted", "Warning: (TLS) untrusted certificate with depth 0". st 7. 6. 2023 o 9:34 Alan DeKok <aland@deployingradius.com> napĂsal(a):
On Jun 7, 2023, at 9:28 AM, MH <h33927318@gmail.com> wrote:
But there's already ca_cert in wpa_supplicant configuration.
So there's nothing wrong with the configuration, and it works?
Or, maybe there's something wrong with the configuration. Because it doesn't work.
The error is "fatal: unknown CA". The only solution is to make sure that the CA is known.
Maybe the problem is that the client certificate is issued by a CA that the server doesn't know. It's difficulty to tell, because you've "helpfully" removed nearly all of the debug output. The documentation for FreeRADIUS says to post all of the debug output. For precisely this reason.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html