unable to get local issuer certificate
Alan DeKok
aland at deployingradius.com
Fri Dec 18 16:10:33 CET 2020
On Dec 16, 2020, at 7:37 PM, Kostya Berger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :)
> But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.
Well, that is likely it then. :(
> And why does it validate user certificate TWICE?
No idea. Our "Verifying client certificate" code is in a callback. i.e. we call LibreSSL / OpenSSL to do TLS magic, and it runs our callback whenever it chooses to run our callback. We have no control over that.
> Here it is in the log:...........................
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
> (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6
> (5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
That's good.
> ...
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
That is weird.
> (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6
> Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
> 9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
> 9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
> unable to load certificate
> (5) eap_tls: ERROR: Program returned code (2) and output ''
Hmm... the code which prints "Verifying client certificate" does:
* write cert to file
* print error if we can't!
* print "verifying client certificate"
* run the program
So there shouldn't be any code path where it runs the program, *and* the file doesn't exist.
Alan DeKok.
More information about the Freeradius-Users
mailing list