Help with Certificates

Arron Fox arronf at hotmail.com
Thu Aug 10 12:58:56 CEST 2017 

Many thanks for the swift reply, unfortunately I am out of my depth with the product suite, the previous sysadm configured the solution with no handover.



>   Where did you get these certificates?  How did you configure them in
> FreeRADIUS?

The CA's are from a Microsoft Certificate Authority, I believe that the configuration in /etc/raddb/mods-enabled/ldap which then references to the certs being held in
/etc/openstack/certs.

{tls............
                ca_file = /etc/openldap/certs/cacert.pem

                ca_path = /etc/openldap/certs
                certificate_file = /etc/openldap/certs/radius.pem
                private_key_file = /etc/openldap/certs/radius.key

I have been reviewing OpenLDAP but I cannot find any logs to this component, the solution was working fine and dandy up until Monday 07/08/2017. Is there a way to see if this is installed? 

> > rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap):
> Connecting to ldap.prom.co.uk:389
> > TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be
> found in the database - error -8174:security library: bad database..
> 
>   i.e. it's an *openldap* issue,  Because the certificates are in the OpenLDAP
> configuration.
> 
>   And if you're getting a "bad database" error, you should likely fix that.  It's
> often the case that one error will create subsequent ones.  If you only look at
> the later errors, you won't fix the real cause of the problem.
> 
> > TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from
> PEM file.
> > TLS: no unlocked certificate for certificate
> 'E=radius at domainA.co.uk,CN=domainA.dmz.local,OU=Company,O=Radius,L
> =Newbury,ST=Berkshire,C=GB'.
> > TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has
> expired..
> > TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
> 
>   This won't work.  Ever.
> 
>   RedHat, etc. provides libldap which links to NSS.  FreeRADIUS uses OpenSSL.
> The two just aren't compatible.
> 
>   You will need to install a version of libldap which uses OpenSSL.
> 
> > TLS: can't connect: TLS error -8174:security library: bad database..
> > rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap):
> Opening connection failed (0) rlm_ldap (ldap): Removing connection pool
> > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
> 
>   These errors are being produced by the OpenLDAP client library.  It doesn't
> like the certificates.
> 
>   As for why... ask the OpenLDAP people.
> 
>   Alan DeKok.
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list