Certificate chain untrusted

Gerald Vogt vogt at spamcop.net
Tue Aug 8 10:26:00 UTC 2023 

On 08.08.23 11:27, Maciej Kowalka wrote:
> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <maciejkowalkati at gmail.com>
> napisał:
> 
>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:
>>
>>> On 08.08.23 07:32, Maciej Kowalka wrote:
>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
>>> maciejkowalkati at gmail.com>
>>>> napisał:
>>>>
>>>>>
>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
>>> aland at deployingradius.com>
>>>>> napisał:
>>>>>
>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati at gmail.com
>>>>
>>>>>> wrote:
>>>>>>> Ok, to check if my certificates are not ok I've tried the
>>> certificates
>>>>>> that
>>>>>>> are created during installation of freeradius and I get the same
>>> warning
>>>>>>> about the untrusted certs.
>>>>>>
>>>>>>     Then something else is going wrong.  The default configuration and
>>>>>> certificates do not use any intermediate certs.  And the server is
>>>>>> configured to trust the certs.
>>>>>>
>>>>>>> Are they supposed to work correctly, without any problems?
>>>>>>> Or it might be a openssl bug? When I use openssl command to check
>>>>>>> certificates I get no errors, all are verified "ok".
>>>>>>
>>>>>>     Something is broken in your local system.  I don't know what.
>>>>>>
>>>>>>     For now, just ignore the errors.
>>>>>>
>>>>>>     Alan DeKok.
>>>>>>
>>>>>
>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get
>>> the
>>>>> same warning as on current machine.
>>>>>
>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't get eny
>>>>> warning, even with mine intermediate CA certs.
>>>>> So I think it might be something with the OS or the radius itself. I'll
>>>>> try running freeradius 3.0 on Ubuntu to check if has the same result.
>>>>>
>>>>
>>>> To summarize, I've tested 4 different Linux systems and freeradius
>>>> configurations for eap-tls:
>>>>
>>>> - Debian 12 and freeradius 3.2.3 default configuration and default certs
>>>> gives warnings,
>>>>
>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with
>>> stock
>>>> configuration and certs also gives warnings,
>>>>
>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default
>>> certs
>>>> or my certs works without warnings,
>>>>
>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
>>>>
>>>> Only on centos 7 I don't get the certificate chain untrusted warning.
>>>> All the systems are freshly installed with just changed default
>>>> authentication to eap and added switch to clients.
>>>>
>>>> Is the package for Centos in any special way different than the rest?
>>>
>>> Each operating system uses a different version of openssl...
>>>
>>> Gerald
>>>
>>
>> They do use different openssl version,
>> Debian - 3.0.9
>> Ubuntu - 3.0.2
>> Rocky - 3.0.7
>> Centos - 1.0.2k later upgraded to 3.0.0
>>
>> Can you share what version of openssl should be used? If that makes
>> difference?
>>
> 
> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same
> warnings.
> Now the only difference is the os itself

You are aware, that installing some version and using it are two 
different things? Did you verify that freeradius is actually using that 
version?

-Gerald

More information about the Freeradius-Users mailing list