OCSP Error: "Couldn't get issuer_cert" with EAP-TLS

Alan DeKok aland at deployingradius.com
Wed Mar 11 22:25:29 CET 2020

On Mar 11, 2020, at 10:32 AM, Barry Hesk <bhesk at hotmail.com> wrote:
> Be really grateful for some assistance in this setup:
> 1.       FreeRadius 3.0.16 running on Ubuntu 18.04 LTS
> 2.       I have enabled EAP-TLS and have this working. The certificates (CA, Server, Client) have been created and imported from Microsoft CA server.
> 3.       I have copied the CA certificate to /etc/freeradius/3.0/certs/root.pem and the server certificate / private key to /etc/freeradius/3.0/certs/radcert.pem

  That should work for EAP.  But... OpenSSL does magic internally with certificate chains.  It doesn't always make sense.   We have some code in FreeRADIUS to make OpenSSL *stop* doing crazy things.  :(

> Without OCSP enabled, everything works. I can authenticate from a Wireless Access Point using a client certificate and EAP-TLS.

  That's good.

> I have configured OCSP in my Microsoft PKI environment and confirmed it works using the inbuilt Microsoft tools and OCSP Responder. I can use the URL listed above ... to check the certificate validity outside of FreeRadius.
> When I enable OSCP on FreeRadius, I receive an error message on client authentication "Could not get issuer_cert". FreeRADIUS doesn't attempt to query the OCSP URL (confirmed by packet capture). I have run FreeRadius in debug mode, where I see the message. "BARRYE540.intrinsic-comms.co.uk" is the CN of the client side certificate.
> "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA. This is the certificate in the file /etc/freeradius/3.0/certs/root.pem
> This CA signed both my server certificate, and also the client certificate.

  My guess is that OpenSSL is unable to properly form the certificate chain.  Update the "certs/radcert.pem" file to include the CA cert, followed by the server cert.  Then, don't use ca_file.

  The hope is that OpenSSL will then be able to find the root CA, and then use it to do OCSP for the client cert.

  OpenSSL is wonderful in that it implements TLS.  And TLS is horribly complex.  But.... OpenSSL isn't easy to use.

  Alan DeKok.

More information about the Freeradius-Users mailing list