Problem verifying EAP-TLS certificates (untrusted warning)
I have a problem with warning about "untrusted certificate" and rejecting if set "reject_unknown_intermediate_ca = yes". Could you help me solving this issue? In short, this is the problem:
Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
I have One-Tier PKI. On FreeRADIUS server I copied client certificate and CA to /tmp/certs: 802_1x.crt and 802_1x.ca.crt . On FreeRADIUS server I have server certificate issued by the same CA. To check certificates I run commands under same user FreeRADIUS runs: `su freerad -s /bin/bash`. Check if both CAs same ``` freerad@radius2:/root$ md5sum /tmp/certs/802_1x.ca.crt /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt e65a3b9362b313ed3a10a3ce4a3588e5 /tmp/certs/802_1x.ca.crt e65a3b9362b313ed3a10a3ce4a3588e5 /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt ``` Check if both CAs are self-signed and same: ``` freerad@radius2:/root$ openssl x509 -noout -text -in /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt | grep -A1 'Key Identifier' X509v3 Subject Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 freerad@radius2:/root$ openssl x509 -noout -text -in /tmp/certs/802_1x.ca.crt | grep -A1 'Key Identifier' X509v3 Subject Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 ``` Check if client and server certificate is issued by this CA: ``` freerad@radius2:/root$ openssl x509 -noout -text -in /tmp/certs/802_1x.crt | grep -A1 'Authority Key Identifier' X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 freerad@radius2:/root$ openssl x509 -noout -text -in /etc/freeradius/3.0/tls/certs/wifi.crt | grep -A1 'Authority Key Identifier' X509v3 Authority Key Identifier: CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79 ``` Check if client both client and server certificates are issued by same CA (here I see "untrusted"): ``` freerad@radius2:/root$ openssl verify -verbose -crl_download -crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt -CApath /etc/freeradius/3.0/tls/certs/ca/wifi /tmp/certs/802_1x.crt /tmp/certs/802_1x.crt: OK Chain: depth=0: O = OD.FREEIPA.XYZ, CN = rpi4b.od.freeipa.xyz (untrusted) depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority freerad@radius2:/root$ openssl verify -verbose -crl_download -crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt -CApath /etc/freeradius/3.0/tls/certs/ca/wifi /etc/freeradius/3.0/tls/certs/wifi.crt /etc/freeradius/3.0/tls/certs/wifi.crt: OK Chain: depth=0: O = OD.FREEIPA.XYZ, CN = radius2.od.freeipa.xyz (untrusted) depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority ``` Copied (under root) to ca store and run `c_rehash /etc/ssl/certs`. Found that my CA cert is already here. ``` root@radius2:~# mkdir /usr/share/ca-certificates/wifi root@radius2:~# cp /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt /usr/share/ca-certificates/wifi root@radius2:~# chmod -R 755 /usr/share/ca-certificates/wifi root@radius2:~# ls -laR /usr/share/ca-certificates/wifi /usr/share/ca-certificates/wifi: total 12 drwxr-xr-x 2 root root 4096 Nov 5 21:44 . drwxr-xr-x 4 root root 4096 Nov 5 21:43 .. -rwxr-xr-x 1 root root 1598 Nov 5 21:44 wifi.ca.crt root@radius2:~# ln -s /usr/share/ca-certificates/wifi/wifi.ca.crt /etc/ssl/certs/wifi.ca.crt root@radius2:~# ls -la /etc/ssl/certs/wifi.ca.crt lrwxrwxrwx 1 root root 43 Nov 5 21:46 /etc/ssl/certs/wifi.ca.crt -> /usr/share/ca-certificates/wifi/wifi.ca.crt root@radius2:~# c_rehash /etc/ssl/certs Doing /etc/ssl/certs WARNING: Skipping duplicate certificate ca-certificates.crt WARNING: Skipping duplicate certificate ca-certificates.crt WARNING: Skipping duplicate certificate wifi.ca.crt WARNING: Skipping duplicate certificate wifi.ca.crt ``` Still no luck. Run `c_rehash /etc/freeradius/3.0/tls/certs/ca/wifi` (this is where wifi.ca.crt is also added) and added `ca_path = "/etc/freeradius/3.0/tls/certs/ca/wifi"` ``` root@radius2:~# ls -laR /etc/freeradius/3.0/tls/certs/ca/wifi/ /etc/freeradius/3.0/tls/certs/ca/wifi/: total 12 drwxr-xr-x 2 freerad freerad 4096 Nov 5 21:48 . drwxr-xr-x 3 freerad freerad 4096 Nov 5 20:32 .. lrwxrwxrwx 1 root root 11 Nov 5 21:48 577f4bb3.0 -> wifi.ca.crt lrwxrwxrwx 1 root root 11 Nov 5 21:48 ed3eb11a.0 -> wifi.ca.crt -rwxr-xr-x 1 freerad freerad 1598 Nov 5 20:34 wifi.ca.crt ``` Still no luck. This is my EAP config: ``` # /etc/freeradius/3.0/mods-available/eap_wifi eap eap_wifi { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls_eap_wifi { private_key_file = "/etc/freeradius/3.0/tls/private/wifi.key" certificate_file = "/etc/freeradius/3.0/tls/certs/wifi.crt" ca_file = "/etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt" ca_path = "/etc/freeradius/3.0/tls/certs/ca/wifi" auto_chain = yes cipher_list = "HIGH" check_crl = no check_all_crl = no cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "prime256v1" reject_unknown_intermediate_ca = yes } tls { tls = tls_eap_wifi configurable_client_cert = no } } ``` This is part of `freeradius -X` log: ```
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/wifi (7) Auth-Type eap_wifi { (7) eap_wifi: Expiring EAP session with state 0xe7b966f3e1e06b16 (7) eap_wifi: Finished EAP session with state 0xe7b966f3e1e06b16 (7) eap_wifi: Previous EAP request found for state 0xe7b966f3e1e06b16, released from the list (7) eap_wifi: Peer sent packet with method EAP TLS (13) (7) eap_wifi: Calling submodule eap_tls to process data (7) eap_tls: (TLS) EAP Got final fragment (321 bytes) (7) eap_tls: (TLS) EAP Done initial handshake (7) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (7) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (7) eap_tls: (TLS) Creating attributes from server certificate (7) eap_tls: TLS-Cert-Serial := "01" (7) eap_tls: TLS-Cert-Expiration := "441018201402Z" (7) eap_tls: TLS-Cert-Valid-Since := "241018201402Z" (7) eap_tls: TLS-Cert-Subject := "/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: TLS-Cert-Issuer := "/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: TLS-Cert-Common-Name := "OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: (TLS) Creating attributes from client certificate (7) eap_tls: TLS-Client-Cert-Serial := "22" (7) eap_tls: TLS-Client-Cert-Expiration := "250104182310Z" (7) eap_tls: TLS-Client-Cert-Valid-Since := "241105182310Z" (7) eap_tls: TLS-Client-Cert-Subject := "/O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz" (7) eap_tls: TLS-Client-Cert-Issuer := "/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority" (7) eap_tls: TLS-Client-Cert-Common-Name := "rpi4b.od.freeipa.xyz" (7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "rpi4b.od.freeipa.xyz" (7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Upn := "host/rpi4b.od.freeipa.xyz@OD.FREEIPA.XYZ" (7) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79" (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.5.5.7.3.14" (7) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "F1:BC:FD:76:AC:E4:92:AD:A1:82:81:79:25:CC:1D:09:63:15:C9:00" (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.14" Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority (TLS) untrusted certificate with depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz tls: There are untrusted certificates in the certificate chain. Rejecting. (7) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error (7) eap_tls: ERROR: (TLS) Alert write:fatal:internal error (7) eap_tls: ERROR: (TLS) Server : Error in error (7) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (7) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (7) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (7) eap_tls: ERROR: [eaptls process] = fail (7) eap_wifi: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (7) eap_wifi: Sending EAP Failure (code 4) ID 89 length 4 (7) eap_wifi: Failed in EAP select (7) [eap_wifi] = invalid
The piece around warning when `freeradius -X -xx` is used:
... Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.14" Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz Tue Nov 5 22:37:37 2024 : Auth: tls: There are untrusted certificates in the certificate chain. Rejecting. Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) chain-depth : 0 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) error : 0 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: identity : anonymous-od-type-a Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) common name : rpi4b.od.freeipa.xyz Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) subject : /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) issuer : /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) verify return : 0 Tue Nov 5 22:37:37 2024 : Debug: (TLS) Ignoring cbtls_msg call with pseudo content type 256, version 771 Tue Nov 5 22:37:37 2024 : Debug: (TLS) Received 2 bytes of TLS data Tue Nov 5 22:37:37 2024 : Debug: (TLS) 02 50 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Alert write:fatal:internal error Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Server : Error in error Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Failed reading from OpenSSL: ../ssl/statem/statem_srvr.c[3522]:error: :SSL routines::certificate verify failed Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) System call (I/O) error (-1) Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) EAP Receive handshake failed during operation Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: [eaptls process] = fail Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_wifi: Failed continuing EAP TLS (13) session. EAP sub-module failed Tue Nov 5 22:37:37 2024 : Debug: (15) eap_wifi: Sending EAP Failure (code 4) ID 98 length 4 Tue Nov 5 22:37:37 2024 : Debug: (15) eap_wifi: Failed in EAP select Tue Nov 5 22:37:37 2024 : Debug: (15) modsingle[authenticate]: returned from eap_wifi (rlm_eap) Tue Nov 5 22:37:37 2024 : Debug: (15) [eap_wifi] = invalid ... ```
On Nov 5, 2024, at 7:46 PM, Alexey D. Filimonov <alexey@filimonic.net> wrote:
I have a problem with warning about "untrusted certificate" and rejecting if set "reject_unknown_intermediate_ca = yes". Could you help me solving this issue?
For now, ignore it. You can update the EAP module configuration to allow untrusted certificates. So far as we can tell, we're using the OpenSSL APIs correctly. This issue seems to come up more in recent versions of OpenSSL, for reasons which aren't clear. Alan DeKok.
Ok, thank you. And as I checked, If I use `eap{tls-config{verify{client}}}`, it still makes some checks internally through libssl, and it still shows message. On 2024-11-06 12:39, Alan DeKok wrote:
On Nov 5, 2024, at 7:46 PM, Alexey D. Filimonov <alexey@filimonic.net> wrote:
I have a problem with warning about "untrusted certificate" and rejecting if set "reject_unknown_intermediate_ca = yes". Could you help me solving this issue? For now, ignore it. You can update the EAP module configuration to allow untrusted certificates.
So far as we can tell, we're using the OpenSSL APIs correctly. This issue seems to come up more in recent versions of OpenSSL, for reasons which aren't clear.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Alexey D. Filimonov