I have a problem with warning about "untrusted certificate" and rejecting if set "reject_unknown_intermediate_ca = yes". Could you help me solving this issue? In short, this is the problem:
Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
I have One-Tier PKI. On FreeRADIUS server I copied client certificate and CA to /tmp/certs: 802_1x.crt and 802_1x.ca.crt . On FreeRADIUS server I have server certificate issued by the same CA. To check certificates I run commands under same user FreeRADIUS runs: `su freerad -s /bin/bash`. Check if both CAs same ``` freerad@radius2:/root$ md5sum /tmp/certs/802_1x.ca.crt /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt e65a3b9362b313ed3a10a3ce4a3588e5 /tmp/certs/802_1x.ca.crt e65a3b9362b313ed3a10a3ce4a3588e5 /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt ``` Check if both CAs are self-signed and same: ``` freerad@radius2:/root$ openssl x509 -noout -text -in /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt | grep -A1 'Key Identifier' X509v3 Subject Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 freerad@radius2:/root$ openssl x509 -noout -text -in /tmp/certs/802_1x.ca.crt | grep -A1 'Key Identifier' X509v3 Subject Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 ``` Check if client and server certificate is issued by this CA: ``` freerad@radius2:/root$ openssl x509 -noout -text -in /tmp/certs/802_1x.crt | grep -A1 'Authority Key Identifier' X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 freerad@radius2:/root$ openssl x509 -noout -text -in /etc/freeradius/3.0/tls/certs/wifi.crt | grep -A1 'Authority Key Identifier' X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 ``` Check if client both client and server certificates are issued by same CA (here I see "untrusted"): ``` freerad@radius2:/root$ openssl verify -verbose -crl_download -crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt -CApath /etc/freeradius/3.0/tls/certs/ca/wifi /tmp/certs/802_1x.crt /tmp/certs/802_1x.crt: OK Chain: depth=0: O = OD.FREEIPA.XYZ, CN = rpi4b.od.freeipa.xyz (untrusted) depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority freerad@radius2:/root$ openssl verify -verbose -crl_download -crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt -CApath /etc/freeradius/3.0/tls/certs/ca/wifi /etc/freeradius/3.0/tls/certs/wifi.crt /etc/freeradius/3.0/tls/certs/wifi.crt: OK Chain: depth=0: O = OD.FREEIPA.XYZ, CN = radius2.od.freeipa.xyz (untrusted) depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority ``` Copied (under root) to ca store and run `c_rehash /etc/ssl/certs`. Found that my CA cert is already here. ``` root@radius2:~# mkdir /usr/share/ca-certificates/wifi root@radius2:~# cp /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt /usr/share/ca-certificates/wifi root@radius2:~# chmod -R 755 /usr/share/ca-certificates/wifi root@radius2:~# ls -laR /usr/share/ca-certificates/wifi /usr/share/ca-certificates/wifi: total 12 drwxr-xr-x 2 root root 4096 Nov 5 21:44 . drwxr-xr-x 4 root root 4096 Nov 5 21:43 .. -rwxr-xr-x 1 root root 1598 Nov 5 21:44 wifi.ca.crt root@radius2:~# ln -s /usr/share/ca-certificates/wifi/wifi.ca.crt /etc/ssl/certs/wifi.ca.crt root@radius2:~# ls -la /etc/ssl/certs/wifi.ca.crt lrwxrwxrwx 1 root root 43 Nov 5 21:46 /etc/ssl/certs/wifi.ca.crt -> /usr/share/ca-certificates/wifi/wifi.ca.crt root@radius2:~# c_rehash /etc/ssl/certs Doing /etc/ssl/certs WARNING: Skipping duplicate certificate ca-certificates.crt WARNING: Skipping duplicate certificate ca-certificates.crt WARNING: Skipping duplicate certificate wifi.ca.crt WARNING: Skipping duplicate certificate wifi.ca.crt ``` Still no luck. Run `c_rehash /etc/freeradius/3.0/tls/certs/ca/wifi` (this is where wifi.ca.crt is also added) and added `ca_path = "/etc/freeradius/3.0/tls/certs/ca/wifi"` ``` root@radius2:~# ls -laR /etc/freeradius/3.0/tls/certs/ca/wifi/ /etc/freeradius/3.0/tls/certs/ca/wifi/: total 12 drwxr-xr-x 2 freerad freerad 4096 Nov 5 21:48 . drwxr-xr-x 3 freerad freerad 4096 Nov 5 20:32 .. lrwxrwxrwx 1 root root 11 Nov 5 21:48 577f4bb3.0 -> wifi.ca.crt lrwxrwxrwx 1 root root 11 Nov 5 21:48 ed3eb11a.0 -> wifi.ca.crt -rwxr-xr-x 1 freerad freerad 1598 Nov 5 20:34 wifi.ca.crt ``` Still no luck. This is my EAP config: ``` # /etc/freeradius/3.0/mods-available/eap_wifi eap eap_wifi { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls_eap_wifi { private_key_file = "/etc/freeradius/3.0/tls/private/wifi.key" certificate_file = "/etc/freeradius/3.0/tls/certs/wifi.crt" ca_file = "/etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt" ca_path = "/etc/freeradius/3.0/tls/certs/ca/wifi" auto_chain = yes cipher_list = "HIGH" check_crl = no check_all_crl = no cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "prime256v1" reject_unknown_intermediate_ca = yes } tls { tls = tls_eap_wifi configurable_client_cert = no } } ``` This is part of `freeradius -X` log: ```
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/wifi (7) Auth-Type eap_wifi { (7) eap_wifi: Expiring EAP session with state 0xe7b966f3e1e06b16 (7) eap_wifi: Finished EAP session with state 0xe7b966f3e1e06b16 (7) eap_wifi: Previous EAP request found for state 0xe7b966f3e1e06b16, released from the list (7) eap_wifi: Peer sent packet with method EAP TLS (13) (7) eap_wifi: Calling submodule eap_tls to process data (7) eap_tls: (TLS) EAP Got final fragment (321 bytes) (7) eap_tls: (TLS) EAP Done initial handshake (7) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (7) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (7) eap_tls: (TLS) Creating attributes from server certificate (7) eap_tls: TLS-Cert-Serial := "01" (7) eap_tls: TLS-Cert-Expiration := "441018201402Z" (7) eap_tls: TLS-Cert-Valid-Since := "241018201402Z" (7) eap_tls: TLS-Cert-Subject := "/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: TLS-Cert-Issuer := "/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: TLS-Cert-Common-Name := "OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: (TLS) Creating attributes from client certificate (7) eap_tls: TLS-Client-Cert-Serial := "22" (7) eap_tls: TLS-Client-Cert-Expiration := "250104182310Z" (7) eap_tls: TLS-Client-Cert-Valid-Since := "241105182310Z" (7) eap_tls: TLS-Client-Cert-Subject := "/O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz" (7) eap_tls: TLS-Client-Cert-Issuer := "/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: TLS-Client-Cert-Common-Name := "rpi4b.od.freeipa.xyz" (7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "rpi4b.od.freeipa.xyz" (7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Upn := "host/rpi4b.od.freeipa.xyz@OD.FREEIPA.XYZ" (7) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79" (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.5.5.7.3.14" (7) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "F1:BC:FD:76:AC:E4:92:AD:A1:82:81:79:25:CC:1D:09:63:15:C9:00" (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.14" Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority (TLS) untrusted certificate with depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz tls: There are untrusted certificates in the certificate chain. Rejecting. (7) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error (7) eap_tls: ERROR: (TLS) Alert write:fatal:internal error (7) eap_tls: ERROR: (TLS) Server : Error in error (7) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (7) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (7) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (7) eap_tls: ERROR: [eaptls process] = fail (7) eap_wifi: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (7) eap_wifi: Sending EAP Failure (code 4) ID 89 length 4 (7) eap_wifi: Failed in EAP select (7) [eap_wifi] = invalid
The piece around warning when `freeradius -X -xx` is used:
... Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.14" Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz Tue Nov 5 22:37:37 2024 : Auth: tls: There are untrusted certificates in the certificate chain. Rejecting. Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) chain-depth : 0 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) error : 0 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: identity : anonymous-od-type-a Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) common name : rpi4b.od.freeipa.xyz Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) subject : /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) issuer : /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) verify return : 0 Tue Nov 5 22:37:37 2024 : Debug: (TLS) Ignoring cbtls_msg call with pseudo content type 256, version 771 Tue Nov 5 22:37:37 2024 : Debug: (TLS) Received 2 bytes of TLS data Tue Nov 5 22:37:37 2024 : Debug: (TLS) 02 50 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Alert write:fatal:internal error Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Server : Error in error Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Failed reading from OpenSSL: ../ssl/statem/statem_srvr.c[3522]:error: :SSL routines::certificate verify failed Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) System call (I/O) error (-1) Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) EAP Receive handshake failed during operation Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: [eaptls process] = fail Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_wifi: Failed continuing EAP TLS (13) session. EAP sub-module failed Tue Nov 5 22:37:37 2024 : Debug: (15) eap_wifi: Sending EAP Failure (code 4) ID 98 length 4 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_wifi: Failed in EAP select Tue Nov 5 22:37:37 2024 : Debug: (15) modsingle[authenticate]: returned from eap_wifi (rlm_eap) Tue Nov 5 22:37:37 2024 : Debug: (15) [eap_wifi] = invalid ... ```