Is it possible to query freeradius' certificate expiration remotely?
Is it possible to query freeradius' certificate expiration date remotely for the cert in /etc/raddb/certs? I'm trying to set up an alert so there's notification when the cert is <60 days from requiring renewal. I'm trying the following but the command returns connection refused on all of the ports I expected it to work on: openssl s_client -servername rad2.domain.com -connect rad2.domain.com:1813 | openssl x509 -noout -dates I've tried ports 443, 8080, 88, 1812, 1813, 1645, 1646, and everything else I can find that might be listening, to no avail. Thanks for any guidance /mh
No, there are no functionality in FreeRADIUS to do that. And you get connection refused since FreeRADIUS listen on UDP ports. /K
On 2 May 2023, at 02:05, Matt H <meh1963@gmail.com> wrote:
Is it possible to query freeradius' certificate expiration date remotely for the cert in /etc/raddb/certs?
I'm trying to set up an alert so there's notification when the cert is <60 days from requiring renewal.
I'm trying the following but the command returns connection refused on all of the ports I expected it to work on:
openssl s_client -servername rad2.domain.com -connect rad2.domain.com:1813 | openssl x509 -noout -dates
I've tried ports 443, 8080, 88, 1812, 1813, 1645, 1646, and everything else I can find that might be listening, to no avail.
Thanks for any guidance /mh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You could install a web server on the box, on a nice high port. Then configure it to use the same cert as FR and return a blank 200 page. Then query that…
On 2 May 2023, at 01:05, Matt H <meh1963@gmail.com> wrote:
Is it possible to query freeradius' certificate expiration date remotely for the cert in /etc/raddb/certs?
I'm trying to set up an alert so there's notification when the cert is <60 days from requiring renewal.
I'm trying the following but the command returns connection refused on all of the ports I expected it to work on:
openssl s_client -servername rad2.domain.com -connect rad2.domain.com:1813 | openssl x509 -noout -dates
I've tried ports 443, 8080, 88, 1812, 1813, 1645, 1646, and everything else I can find that might be listening, to no avail.
Thanks for any guidance /mh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You can check a certificate with eapol_test and even save it to a local file with '-o' option. Check man pages for wpa_supplicant and eapol_test. On 5/2/23 02:04, Matt H wrote:
Is it possible to query freeradius' certificate expiration date remotely for the cert in /etc/raddb/certs?
I'm trying to set up an alert so there's notification when the cert is <60 days from requiring renewal.
I'm trying the following but the command returns connection refused on all of the ports I expected it to work on:
openssl s_client -servername rad2.domain.com -connect rad2.domain.com:1813 | openssl x509 -noout -dates
I've tried ports 443, 8080, 88, 1812, 1813, 1645, 1646, and everything else I can find that might be listening, to no avail.
Thanks for any guidance /mh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, 2023-05-01 at 17:04 -0700, Matt H wrote:
Is it possible to query freeradius' certificate expiration date remotely for the cert in /etc/raddb/certs?
I'm trying to set up an alert so there's notification when the cert is <60 days from requiring renewal.
You could install the 'x509watch' package (assuming Linux/UNIX server), and configure it to look at the '/etc/raddb/certs' files and set the number of days before warning you. The package defaults to 30 days before warning. It has a simple config file at '/etc/sysconfig/x509watch'. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [https://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
participants (5)
-
Arnaud LAURIOU -
John Horne -
Kev Pearce -
Kristofer Hallin -
Matt H