Certificate chain untrusted

Maciej Kowalka maciejkowalkati at gmail.com
Tue Aug 8 09:27:22 UTC 2023 

wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <maciejkowalkati at gmail.com>
napisał:

> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:
>
>> On 08.08.23 07:32, Maciej Kowalka wrote:
>> > pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
>> maciejkowalkati at gmail.com>
>> > napisał:
>> >
>> >>
>> >> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
>> aland at deployingradius.com>
>> >> napisał:
>> >>
>> >>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati at gmail.com
>> >
>> >>> wrote:
>> >>>> Ok, to check if my certificates are not ok I've tried the
>> certificates
>> >>> that
>> >>>> are created during installation of freeradius and I get the same
>> warning
>> >>>> about the untrusted certs.
>> >>>
>> >>>    Then something else is going wrong.  The default configuration and
>> >>> certificates do not use any intermediate certs.  And the server is
>> >>> configured to trust the certs.
>> >>>
>> >>>> Are they supposed to work correctly, without any problems?
>> >>>> Or it might be a openssl bug? When I use openssl command to check
>> >>>> certificates I get no errors, all are verified "ok".
>> >>>
>> >>>    Something is broken in your local system.  I don't know what.
>> >>>
>> >>>    For now, just ignore the errors.
>> >>>
>> >>>    Alan DeKok.
>> >>>
>> >>
>> >> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get
>> the
>> >> same warning as on current machine.
>> >>
>> >> I also installed freeradous 3.0 on a centos 7 but on it I don't get eny
>> >> warning, even with mine intermediate CA certs.
>> >> So I think it might be something with the OS or the radius itself. I'll
>> >> try running freeradius 3.0 on Ubuntu to check if has the same result.
>> >>
>> >
>> > To summarize, I've tested 4 different Linux systems and freeradius
>> > configurations for eap-tls:
>> >
>> > - Debian 12 and freeradius 3.2.3 default configuration and default certs
>> > gives warnings,
>> >
>> > - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with
>> stock
>> > configuration and certs also gives warnings,
>> >
>> > - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default
>> certs
>> > or my certs works without warnings,
>> >
>> > - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
>> >
>> > Only on centos 7 I don't get the certificate chain untrusted warning.
>> > All the systems are freshly installed with just changed default
>> > authentication to eap and added switch to clients.
>> >
>> > Is the package for Centos in any special way different than the rest?
>>
>> Each operating system uses a different version of openssl...
>>
>> Gerald
>>
>
> They do use different openssl version,
> Debian - 3.0.9
> Ubuntu - 3.0.2
> Rocky - 3.0.7
> Centos - 1.0.2k later upgraded to 3.0.0
>
> Can you share what version of openssl should be used? If that makes
> difference?
>

Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same
warnings.
Now the only difference is the os itself

Maciej

>

More information about the Freeradius-Users mailing list