"check_crl = yes" leads to "verify error:num=3:unable to get certificate CRL"

Vieri rentorbuy at yahoo.com
Tue Dec 22 13:02:25 CET 2009 

Hi,

I'm doing something wrong with my Certificate Revocation List but I can't seem to understand what.

I'm using freeradius 2.1.7 and openssl 0.9.8k. I'm self-signing the certificates.

With "check_crl = no" everything works well.

However, authentication does not work with "check_crl = yes" and I get an "unable to get certificate CRL" error.
How can I debug this and understand why it can't get the CRL?

Here are the steps I perform:

# cd /etc/ssl
# openssl ca -gencrl -keyfile FHM-CA/certs/radius_client_D_831_key.pem -cert FHM-CA/certs/radius_client_D_831_cert.pem -out FHM-CA/crl/FHM_crl.pem -crldays 60
# c_rehash FHM-CA/crl
# cp FHM-CA/cacert.pem /etc/raddb/certs/FHM/
# cat FHM-CA/crl/FHM_crl.pem >> /etc/raddb/certs/FHM/cacert.pem

# openssl verify -CApath FHM-CA/crl FHM-CA/crl/radius_client_D_831_cert.pem
FHM-CA/crl/radius_client_D_831_cert.pem: OK

eap.conf

tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs

                        private_key_password = xxxxx
                        private_key_file = ${certdir}/FHM/radius_server_keycert.pem

                        certificate_file = ${certdir}/FHM/radius_server_keycert.pem

                        CA_file = ${cadir}/FHM/cacert.pem

                        dh_file = ${certdir}/FHM/dh
                        random_file = ${certdir}/FHM/random

                        #  Check the Certificate Revocation List
                        #
                        #  1) Copy CA certificates and CRLs to same directory.
                        #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
                        #    'c_rehash' is OpenSSL's command.
                        #  3) uncomment the line below.
                        #  5) Restart radiusd
                        check_crl = yes
                        CA_path = /etc/ssl/FHM-CA/crl/
                        crl_file = /etc/ssl/FHM-CA/crl/FHM_crl.pem
                        crl_path = /etc/ssl/FHM-CA/crl/FHM_crl.pem


The supplicant has the radius_client_D_831_cert.p12 certificate but I get this error on the freeradius server:

+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 1812
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 05fe], Certificate
--> verify error:num=3:unable to get certificate CRL
[peap] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

Any ideas are greatly appreciated.

Vieri

More information about the Freeradius-Users mailing list