Certificate chain untrusted

Gerald Vogt vogt at spamcop.net
Tue Aug 8 05:36:20 UTC 2023 

On 08.08.23 07:32, Maciej Kowalka wrote:
> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <maciejkowalkati at gmail.com>
> napisał:
> 
>>
>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <aland at deployingradius.com>
>> napisał:
>>
>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati at gmail.com>
>>> wrote:
>>>> Ok, to check if my certificates are not ok I've tried the certificates
>>> that
>>>> are created during installation of freeradius and I get the same warning
>>>> about the untrusted certs.
>>>
>>>    Then something else is going wrong.  The default configuration and
>>> certificates do not use any intermediate certs.  And the server is
>>> configured to trust the certs.
>>>
>>>> Are they supposed to work correctly, without any problems?
>>>> Or it might be a openssl bug? When I use openssl command to check
>>>> certificates I get no errors, all are verified "ok".
>>>
>>>    Something is broken in your local system.  I don't know what.
>>>
>>>    For now, just ignore the errors.
>>>
>>>    Alan DeKok.
>>>
>>
>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the
>> same warning as on current machine.
>>
>> I also installed freeradous 3.0 on a centos 7 but on it I don't get eny
>> warning, even with mine intermediate CA certs.
>> So I think it might be something with the OS or the radius itself. I'll
>> try running freeradius 3.0 on Ubuntu to check if has the same result.
>>
> 
> To summarize, I've tested 4 different Linux systems and freeradius
> configurations for eap-tls:
> 
> - Debian 12 and freeradius 3.2.3 default configuration and default certs
> gives warnings,
> 
> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock
> configuration and certs also gives warnings,
> 
> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs
> or my certs works without warnings,
> 
> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
> 
> Only on centos 7 I don't get the certificate chain untrusted warning.
> All the systems are freshly installed with just changed default
> authentication to eap and added switch to clients.
> 
> Is the package for Centos in any special way different than the rest?

Each operating system uses a different version of openssl...

Gerald

More information about the Freeradius-Users mailing list