Hello, We setup OCSP validation on our FreeRADIUS servers a while back and it had been working great until yesterday when we started seeing errors like: Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Alert write:fatal:internal error Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Server : Error in error Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Failed reading from OpenSSL Dec 03 14:03:09 radiusd[109894]: (437) Login incorrect (eap_tls: ocsp: Couldn't get OCSP response): [HOSTNAME] We discovered some errors on our Windows OCSP responders due to configuration certificates expiring and resolved that. However, even after that Windows machines are unable to authenticate. Running in debug mode we see:  Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [0] subject name /CN=staff01.ad.nwra.com (14) eap_tls: Starting OCSP Request (14) eap_tls: WARNING: (TLS) ocsp: No OCSP URL in certificate, falling back to configured URL (14) eap_tls: ocsp: Using responder URL "http://ocsp.ad.nwra.com:80/ocsp/" (14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response (14) eap_tls: ERROR: (TLS) ocsp: Certificate has been expired/revoked (14) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error (14) eap_tls: ERROR: (TLS) Alert write:fatal:internal error (14) eap_tls: ERROR: (TLS) Server : Error in error (14) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (14) eap_tls: ERROR: (TLS) error:13800070:OCSP routines::root ca not trusted (14) eap_tls: ERROR: (TLS) error:0A000086:SSL routines::certificate verify failed (14) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (14) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (14) eap_tls: ERROR: [eaptls process] = fail (14) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed We have 3 certificates in the FreeRADIUS ca_file configuration - an AD CA cert that is expiring in about 18 months, a new AD CA cert that was issued in October, and an IPA CA cert - and that's been the case since the new AD CA cert was issued. That should cover all of the certificates issued internally, so I don't see why radiusd is complaining about an untrusted cert. Running openssl ocsp checks against the Windows ocsp responders work fine. I'm at a loss. Any ideas, things to check? ocsp config is simply enable = yes, and specifying the url fallback shown above. This is with freeradius-3.0.20-15.module_el8.10.0+3873+5b7fed0f.x86_64 freeradius-3.0.21-40.el9_4.x86_64 -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/