Certificate chain untrusted

Maciej Kowalka maciejkowalkati at gmail.com
Tue Aug 8 06:46:13 UTC 2023 

wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:

> On 08.08.23 07:32, Maciej Kowalka wrote:
> > pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
> maciejkowalkati at gmail.com>
> > napisał:
> >
> >>
> >> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
> aland at deployingradius.com>
> >> napisał:
> >>
> >>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati at gmail.com>
> >>> wrote:
> >>>> Ok, to check if my certificates are not ok I've tried the certificates
> >>> that
> >>>> are created during installation of freeradius and I get the same
> warning
> >>>> about the untrusted certs.
> >>>
> >>>    Then something else is going wrong.  The default configuration and
> >>> certificates do not use any intermediate certs.  And the server is
> >>> configured to trust the certs.
> >>>
> >>>> Are they supposed to work correctly, without any problems?
> >>>> Or it might be a openssl bug? When I use openssl command to check
> >>>> certificates I get no errors, all are verified "ok".
> >>>
> >>>    Something is broken in your local system.  I don't know what.
> >>>
> >>>    For now, just ignore the errors.
> >>>
> >>>    Alan DeKok.
> >>>
> >>
> >> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get
> the
> >> same warning as on current machine.
> >>
> >> I also installed freeradous 3.0 on a centos 7 but on it I don't get eny
> >> warning, even with mine intermediate CA certs.
> >> So I think it might be something with the OS or the radius itself. I'll
> >> try running freeradius 3.0 on Ubuntu to check if has the same result.
> >>
> >
> > To summarize, I've tested 4 different Linux systems and freeradius
> > configurations for eap-tls:
> >
> > - Debian 12 and freeradius 3.2.3 default configuration and default certs
> > gives warnings,
> >
> > - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with
> stock
> > configuration and certs also gives warnings,
> >
> > - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default
> certs
> > or my certs works without warnings,
> >
> > - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
> >
> > Only on centos 7 I don't get the certificate chain untrusted warning.
> > All the systems are freshly installed with just changed default
> > authentication to eap and added switch to clients.
> >
> > Is the package for Centos in any special way different than the rest?
>
> Each operating system uses a different version of openssl...
>
> Gerald
>

They do use different openssl version,
Debian - 3.0.9
Ubuntu - 3.0.2
Rocky - 3.0.7
Centos - 1.0.2k later upgraded to 3.0.0

Can you share what version of openssl should be used? If that makes
difference?

Maciej

>

More information about the Freeradius-Users mailing list