Certificate chain untrusted

Maciej Kowalka maciejkowalkati at gmail.com
Tue Aug 8 05:32:54 UTC 2023 

pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <maciejkowalkati at gmail.com>
napisał:

>
> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <aland at deployingradius.com>
> napisał:
>
>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati at gmail.com>
>> wrote:
>> > Ok, to check if my certificates are not ok I've tried the certificates
>> that
>> > are created during installation of freeradius and I get the same warning
>> > about the untrusted certs.
>>
>>   Then something else is going wrong.  The default configuration and
>> certificates do not use any intermediate certs.  And the server is
>> configured to trust the certs.
>>
>> > Are they supposed to work correctly, without any problems?
>> > Or it might be a openssl bug? When I use openssl command to check
>> > certificates I get no errors, all are verified "ok".
>>
>>   Something is broken in your local system.  I don't know what.
>>
>>   For now, just ignore the errors.
>>
>>   Alan DeKok.
>>
>
> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the
> same warning as on current machine.
>
> I also installed freeradous 3.0 on a centos 7 but on it I don't get eny
> warning, even with mine intermediate CA certs.
> So I think it might be something with the OS or the radius itself. I'll
> try running freeradius 3.0 on Ubuntu to check if has the same result.
>

To summarize, I've tested 4 different Linux systems and freeradius
configurations for eap-tls:

- Debian 12 and freeradius 3.2.3 default configuration and default certs
gives warnings,

- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock
configuration and certs also gives warnings,

- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs
or my certs works without warnings,

- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.

Only on centos 7 I don't get the certificate chain untrusted warning.
All the systems are freshly installed with just changed default
authentication to eap and added switch to clients.

Is the package for Centos in any special way different than the rest?

Maciej

>

More information about the Freeradius-Users mailing list