unable to get local issuer certificate

Alan DeKok aland at deployingradius.com
Fri Dec 18 16:10:33 CET 2020 

On Dec 16, 2020, at 7:37 PM, Kostya Berger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :)
> But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.

  Well, that is likely it then.  :(

> And why does it validate user certificate TWICE?

  No idea.  Our "Verifying client certificate" code is in a callback.  i.e. we call LibreSSL / OpenSSL to do TLS magic, and it runs our callback whenever it chooses to run our callback.  We have no control over that.

> Here it is in the log:...........................
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
> (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
> (5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'

  That's good.

> ...
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}

  That is weird.

> (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
> Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
> 9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
> 9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
> unable to load certificate
> (5) eap_tls: ERROR: Program returned code (2) and output ''

  Hmm... the code which prints "Verifying client certificate" does:

* write cert to file
  * print error if we can't!
* print "verifying client certificate"
* run the program

  So there shouldn't be any code path where it runs the program, *and* the file doesn't exist.

  Alan DeKok.

More information about the Freeradius-Users mailing list