unable to get local issuer certificate

Kostya Berger bergerkos at yahoo.co.uk
Tue Dec 15 15:10:27 CET 2020

Hello, thank you for your time and effort.
I've been successfully using Freeradius3 for some years now for EAP-TLS. But now I've moved config directory (as I've done successfully in the past several times) over to a new installation. It's OpenBSD 6.8 and LibreSSL 3.2.2. 

Again, the very SAME configuration (certs etc) have been successfully running on OpenBSD 6.6, but on 6.8 I'm getting SSL error "unable to get local issuer certificate".Complete piece of log output from $radiusd -X is attached. It's Freeradius 3.0.21. And the very SAME configuration directory (/etc/raddb) is used on another machine with Freeradius-3.0.21 successfully.
What could be the reason for this strange error? Here is the error part:
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += ""
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
tls: Certificate CN (guest1) fails external verification!
Brief summary: /tmp/radiusd IS writable by _freeradius user -- I checked that explicitly by trying to write their by that user. Certificates ARE available in the certdir, which is clear from the string "eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'". And in the full log attached here there appears message "unable to get local issuer certificate". All certificates were created by the same procedure... though I think I used easy-rsa instead of the Freeradius tools. Just don't remember that.

Thank you very much for your time!

More information about the Freeradius-Users mailing list