TLS with intermediate certificate issue

Young Yoon yyoon99 at gmail.com
Tue Jul 26 14:21:28 UTC 2022 

Thanks. I was able to get the log as instructed (but message being held
it's too long).

I can confirm that there's no OpenSSL version change (1.1.1) in our product
and the only change is the freeRadius 3.0.21 to 3.0.25.

Looks like the root CA (microsoft private CA) is not being trusted by
default (as it was in 3.0.21) if using the intermediate certificate for TLS
auth. The simple workaround is just install the root CA as ca trust store
in freeRadius, but just curious if this behavior is going forward in the
future or not.

Thanks for your help.

On Mon, Jul 25, 2022 at 10:38 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jul 25, 2022, at 10:21 AM, Young Yoon <yyoon99 at gmail.com> wrote:
> > We're running into an issue where EAP-TLS authentication is failing due
> to
> > the 'unable to get issuer certificate' error. This is only the case when
> > freeRADIUS certificate was issued by the intermediate CA server (signed
> by
> > the Root CA) and the client certificate was also issued by the
> intermediate
> > CA server but Root CA installed on it. Note that Trusted CA (ca_file ==>
> > external_ca.pem) in freeradius does NOT include the the Root CA and it
> only
> > has the CA cert that's issuing the certificate (intermediate
> certificate).
> >
> > Snippet of eap configuration is as below (no CRL involved).
>
>   http://wiki.freeradius.org/list-help
>
>   We don't need to see the configuration.  All of the documentation says
> this.  Including the email you get when you join the list.
>
> > 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Continuing ...
>
>   We don't need to see "radiusd -Xxxxxxx" or whatever.  Just "radiusd
> -X".  Again, all of the documentation says to do this.
>
>   The documentation is there for a reason.  If you follow it, you will not
> only solve problems more quickly, it will be easier for us to help you
> solve problems.
>
> > 2022-07-25 09:02:25,558: ERROR: (259) eap_tls:   (TLS) OpenSSL says
> error 2
> > : unable to get issuer certificate
>
>   That's pretty clear.
>
> > 2022-07-25 09:02:25,558: Debug: (259) eap_tls: (TLS) send TLS 1.2 Alert,
> > fatal unknown_ca
> >
> > 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) Alert
> > write:fatal:unknown CA
>
>   That's also clear.
>
>   If you use 3.2.0, the error messages will be even better.
>
> > The above example shows 'TLS-Cert-Issuer' is the root CA server which
> > signed the intermediate certificate. A client was authenticating fine on
> > freeRADIUS server running 3.0.21 but after we upgraded the freeRADIUS to
> > 3.0.25, we're starting to see this issue (see above the debug). No
> > configuration change in eap file between versions. If we install the
> 'root'
> > certificate to 'ca_file' in 3.0.25 (no needed in 3.0.21 as it only
> required
> > intermediate cert), then the client authentication started working.
>
>   This is likely due to an OpenSSL change.
>
>   But FreeRADIUS needs the CA certificate configured.  If you don't have
> the CA configured, then anything TLS just won't work.
>
> > Is this known issue OR expected new behavior? If so, what would be the
> > reason why it worked in 3.0.21 not in 3.0.25?
>
>   If it's not due to an OpenSSL version change (and it often is), then the
> issue is somewhere in the change list from 3.0.21 to 3.0.25.  The source is
> available...
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list