Just been browsing our FR log files having migrated a server to Ununtu 18.06 from 16.04 and noticed the following error message ERROR: Couldn't get issuer_cert for eapoltest2020@york.ac.uk epoltest2020@york.ac.uk is a test client cert generated using our local pki manually pused to FR via eapol_test. We've been using a version of that to perform health checks for TLS validation for years and I've only just noticed the above message ( running 3.0.22 from git) doesn't matter whether I use pem files or p.12 flles in the wpa_supplicant .conf file still get the message. On the server, in our /etc/freeradius/mods-enabled/eap file I have a ca_file set to a file with a list of all the root/ intermediate CAs that might issue a client certificate. ... again that hasn't changed for a long time. TBH these servers have been fit and forget for a long time, so the error message might have been there for a while. The client successfully auths via an OCSP validation so its not causing any problems ..... other than its there and I feel it shouldn't be, the ca_file specified has an extension of .chain ... but that shouldn't matter should it ? Rgds Alex
hi, IIRC that message only comes from the OCSP part of FreeRADIUS EAP-TLS - and it whilst it suggests that the issuer of the EAP-TLS cert that the client is using could not be found in your chain it might really be some Ubuntu/Debian OpenSSL thing - changes to acceptable crypto etc. might be that which is causing the upset. I guess this error is only seen when you are firing off tests from that one client and you havent got an other/older copy been fired off from some monitor platform? (a platform which might have TLS1.1 or higher issues) ? alan
Upon closer examination it appears to have been a server specific thing. Our systems department were upgrading server from Ubuntuy 16.04 -> 18.04 and rebuilding FR at the same time. Unfortunately they "upgraded" from running 3.0.22 ->0 and were changing puppet based configs at the same time. Lots of. moving windows I'm afraid. Everything sorted now and back to normal Rgds Alex On Fri, 17 Apr 2020 at 11:04, Alan Buxey <alan.buxey@gmail.com> wrote:
hi,
IIRC that message only comes from the OCSP part of FreeRADIUS EAP-TLS - and it whilst it suggests that the issuer of the EAP-TLS cert that the client is using could not be found in your chain it might really be some Ubuntu/Debian OpenSSL thing - changes to acceptable crypto etc. might be that which is causing the upset. I guess this error is only seen when you are firing off tests from that one client and you havent got an other/older copy been fired off from some monitor platform? (a platform which might have TLS1.1 or higher issues) ?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan Buxey -
Alex Sharaz