OCSP Error: "Couldn't get issuer_cert" with EAP-TLS

Barry Hesk bhesk at hotmail.com
Fri Mar 13 15:24:19 CET 2020

Hi Alan

Thanks very much for your response. I've been doing a lot more testing, but still having problems. The issue does seem to be with openssl as I get exactly the same issues if I use the openssl ocsp check directly. 

> My guess is that OpenSSL is unable to properly form the certificate chain.  Update the "certs/radcert.pem" file to include the CA cert, followed by the server cert.  Then, don't use ca_file.

 > The hope is that OpenSSL will then be able to find the root CA, and then use it to do OCSP for the client cert.

Tried this in various combinations. I can change the error messages I receive, but can't get it to work :-)

- Created an unencrypted pem file containing both the CA and Server cert (Server 1st, CA 2nd)
- created an encrypted pem with the server private key.
- In freedradius, pointed certificate_file at the combined unencrypted file and at the private key with the relevant password. Removed "ca_file" directive. 

"/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA certificate which is in the combined PEM file. 

FreeRadius starts ok, however can’t validate any certificates. 

(17) eap_tls: Creating attributes from certificate OIDs
(17) eap_tls:   TLS-Client-Cert-Serial := "61ab3a63000000000024"
(17) eap_tls:   TLS-Client-Cert-Expiration := "210311124806Z"
(17) eap_tls:   TLS-Client-Cert-Subject := "/CN=BARRYE540.intrinsic-comms.co.uk"
(17) eap_tls:   TLS-Client-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA"
(17) eap_tls:   TLS-Client-Cert-Common-Name := "BARRYE540.intrinsic-comms.co.uk"
(17) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Dns := "BARRYE540.intrinsic-comms.co.uk"
17) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate
(17) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unknown_ca
(17) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
tls: TLS_accept: Error in error
(17) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
(17) eap_tls: ERROR: System call (I/O) error (-1)
(17) eap_tls: ERROR: TLS receive handshake failed during operation
(17) eap_tls: ERROR: [eaptls process] = fail
(17) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

- Reinstated the "ca_file" directive - which is the identical certificate (CA only) in the combined CA/Server pem file. 

I can now validate certificates again, but ocsp fails in the same way as previously. 

- created an encrypted file containing server, CA, and private key. 

Fails in an identical way. If "ca_file" not configured, it totally fails. If "ca_file" is present, it validates the client certificate ok, but oscp fails. If "ca_file" is removed all validation fails. 

- swapped the order in my combined PEM file - putting the CA certificate 1st and the server certificate 2nd. 

FreeRADIUS refuses to start saying the private key (which is my server private key) doesn't match. 

Loads of fun :-)

I have a workaround - which is to copy the CRL files off my CA onto my FreeRadius server, convert them to the right format using openssl and then use "openssl verify" to do the CRL check. This does work however kind of defeats the point; I was trying to get OCSP to replace CRLs... 

Thanks again for your suggestions to this point. 


-----Original Message-----

More information about the Freeradius-Users mailing list