TLS with intermediate certificate issue

Alan DeKok aland at deployingradius.com
Mon Jul 25 14:38:09 UTC 2022


On Jul 25, 2022, at 10:21 AM, Young Yoon <yyoon99 at gmail.com> wrote:
> We're running into an issue where EAP-TLS authentication is failing due to
> the 'unable to get issuer certificate' error. This is only the case when
> freeRADIUS certificate was issued by the intermediate CA server (signed by
> the Root CA) and the client certificate was also issued by the intermediate
> CA server but Root CA installed on it. Note that Trusted CA (ca_file ==>
> external_ca.pem) in freeradius does NOT include the the Root CA and it only
> has the CA cert that's issuing the certificate (intermediate certificate).
> 
> Snippet of eap configuration is as below (no CRL involved).

  http://wiki.freeradius.org/list-help

  We don't need to see the configuration.  All of the documentation says this.  Including the email you get when you join the list.

> 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Continuing ...

  We don't need to see "radiusd -Xxxxxxx" or whatever.  Just "radiusd -X".  Again, all of the documentation says to do this.

  The documentation is there for a reason.  If you follow it, you will not only solve problems more quickly, it will be easier for us to help you solve problems.

> 2022-07-25 09:02:25,558: ERROR: (259) eap_tls:   (TLS) OpenSSL says error 2
> : unable to get issuer certificate

  That's pretty clear.

> 2022-07-25 09:02:25,558: Debug: (259) eap_tls: (TLS) send TLS 1.2 Alert,
> fatal unknown_ca
> 
> 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) Alert
> write:fatal:unknown CA

  That's also clear.

  If you use 3.2.0, the error messages will be even better.

> The above example shows 'TLS-Cert-Issuer' is the root CA server which
> signed the intermediate certificate. A client was authenticating fine on
> freeRADIUS server running 3.0.21 but after we upgraded the freeRADIUS to
> 3.0.25, we're starting to see this issue (see above the debug). No
> configuration change in eap file between versions. If we install the 'root'
> certificate to 'ca_file' in 3.0.25 (no needed in 3.0.21 as it only required
> intermediate cert), then the client authentication started working.

  This is likely due to an OpenSSL change.

  But FreeRADIUS needs the CA certificate configured.  If you don't have the CA configured, then anything TLS just won't work.

> Is this known issue OR expected new behavior? If so, what would be the
> reason why it worked in 3.0.21 not in 3.0.25?

  If it's not due to an OpenSSL version change (and it often is), then the issue is somewhere in the change list from 3.0.21 to 3.0.25.  The source is available...

  Alan DeKok.



More information about the Freeradius-Users mailing list