unable to get local issuer certificate
Kostya Berger
bergerkos at yahoo.co.uk
Fri Dec 18 17:13:23 CET 2020
Seems the problem is with OpenBSD Freeradius/SSL configuration.
I ended up running certs/bootstrap on the OpenBSD machine where Freeradius runs. THe resulting certificates work fine on a FreeBSD-based Freeradius server, but on OpenBSD I get this complaining about the "local issuer certificate".I just don't know what else I might check.
With kindest regards,
Kostya Berger
On Thursday, 17 December 2020, 03:38:27 GMT+3, Kostya Berger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :)
But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.
And why does it validate user certificate TWICE? Here it is in the log:...........................
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls: TLS-Client-Cert-Serial := "04"
(5) eap_tls: TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls: TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls: TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls: TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls: TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
With kindest regards,
Kostya Berger
On Tuesday, 15 December 2020, 17:14:47 GMT+3, Kostya Berger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
Hello, thank you for your time and effort.
I've been successfully using Freeradius3 for some years now for EAP-TLS. But now I've moved config directory (as I've done successfully in the past several times) over to a new installation. It's OpenBSD 6.8 and LibreSSL 3.2.2.
Again, the very SAME configuration (certs etc) have been successfully running on OpenBSD 6.6, but on 6.8 I'm getting SSL error "unable to get local issuer certificate".Complete piece of log output from $radiusd -X is attached. It's Freeradius 3.0.21. And the very SAME configuration directory (/etc/raddb) is used on another machine with Freeradius-3.0.21 successfully.
What could be the reason for this strange error? Here is the error part:
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls: TLS-Client-Cert-Serial := "04"
(5) eap_tls: TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls: TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls: TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls: TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls: TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
tls: Certificate CN (guest1) fails external verification!
....
Brief summary: /tmp/radiusd IS writable by _freeradius user -- I checked that explicitly by trying to write their by that user. Certificates ARE available in the certdir, which is clear from the string "eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'". And in the full log attached here there appears message "unable to get local issuer certificate". All certificates were created by the same procedure... though I think I used easy-rsa instead of the Freeradius tools. Just don't remember that.
Thank you very much for your time!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list