Freeradius with lets encrypt certificate

André netriver at gmail.com
Wed Dec 30 19:31:03 CET 2020


Hello,

Problem solved by using openssl verify for debug and this link:
https://stackoverflow.com/questions/50803160/unable-to-openssl-verify-letsencrypt-certificate
And downloading the correct CA
and *ADDING* this CA https://www.identrust.com/dst-root-ca-x3 to a file
ca_file = file

to the mods-enable/eap # tls-config tls-common {

Thank you all for your help.

Basically it looks like the rootCA for let's encrypt changed.

Best regards,
Good 2021 year to all.

On Tue, Dec 29, 2020 at 7:47 PM Mark Elkins <mje at posix.co.za> wrote:

> No idea if this will help but...
>
> I just had a very similar issue with Exim... my mail system. I was using
> the wrong (old) intermediate certificate - which has worked for years.
>
> I use 'dehydrated' to obtain and renew my Let's Encrypt certs. They have
> just stopped cross signing - and that triggered my issue - at 2am on the
> 25th Dec.
>
> EXIM requires the current cert, an intermediate, as well as what's in
> /usr/share/ca-certificates/mozilla (they use/are "ISRG_Root_X1.crt")...
> "dehydrated" has a file in the 'cert' directory called "fullchain.pem" Look
> at the second Certificate it contains - the new intermediate.
>
> The intermediate is no longer....
>
> -----BEGIN CERTIFICATE-----
> MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
> ..... cut ....
> PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
> KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
> -----END CERTIFICATE-----
>
> but (in full)
>
> -----BEGIN CERTIFICATE-----
> MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
> MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
> DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
> MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
> AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
> jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
> Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
> U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
> gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
> /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
> oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
> BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
> ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
> p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
> AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
> Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
> LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
> r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
> AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
> ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
> S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
> qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
> O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
> UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
> -----END CERTIFICATE-----
>
> Maybe your problem - otherwise please simply delete this email and ignore
> me.
>
>
> On 12/29/20 6:23 PM, André wrote:
>
> freeradius cloned from github:https://github.com/FreeRADIUS/freeradius-server
>
> Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: error:1414C086:SSL
> routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable
> to get issuer certificate
> Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
> Tue Dec 29 14:31:40 2020:
> /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
> failed for module "eap.ttls"
>
> I'm using a let's encrypt certificate , but I'm getting this error message.
>
> What should the files I should be using for the cert?
>
> Best regards,
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za       Tel: +27.826010496 <+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> [image: Posix Systems][image: VCARD for MJ Elkins]
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201230/31d73eb6/attachment.png>


More information about the Freeradius-Users mailing list