Certificate chain untrusted

[Maciej Kowalka]

śr., 2 sie 2023 o 14:27 Alan DeKok <aland at deployingradius.com> napisał(a):
>
> On Aug 2, 2023, at 3:18 AM, Maciej Kowalka <maciejkowalkati at gmail.com> wrote:
> >> a) put certificates into the folder (and rehash as necessary)
> >
> > So I have both intermediate-ca.pem and ca.pem in the folder, do I need
> > to c_rehash it?(in eap file rehash is mentioned only for CA and CRL)
>
>   An intermediate CA is still a CA.  You still need to run c_rehash.
>
> >> b) put the certificates into one file in order
> >
> > Do you mean like “cat intermediate-ca.pem ca.pem > int-ca_ca.pem”?
>
>   See mods-available/eap, "certificate_file".  It has lots of comments.
>
> >>  What may be happening is that you don't have the intermediate certificate.  i.e. only the end-user device has them.  So perhaps double-check that.
> >
> > I do have the intermediate-ca.pem in the same folder as ca.pem, but
> > don't know if I need to add something in the eap config file to let
> > freeradius know it.
>
>   An intermediate CA is still a CA.  All CAs go into "ca_path".
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

In the config:

Ca_file points to ca.pem
Ca_path points to folder containing both ca.pem and intermediate.pem

#  When using "ca_file" or "ca_path", the
#  "certificate_file" should contain only
#  "server.pem".  And then you may (or may not) need
#  to set "auto_chain", depending on your version of
#  OpenSSL.

Certificate_file points to server.pem

Auto_chain is set to “yes”

SSL version is 3.0.9

Done c_rehash for the folder with certs, freeradius restarted, but in
debug I still see the same warnings:

Warning: Certificate chain - 1 cert(s) untrusted
Warning: (TLS) untrusted certificate with depth [1] subject name
/C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA
Warning: (TLS) untrusted certificate with depth [0] subject name
/C=PL/ST=MyState/O=MyOrg/CN=client