Certificate chain untrusted

Maciej Kowalka maciejkowalkati at gmail.com
Tue Aug 8 10:39:00 UTC 2023 

wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:

> On 08.08.23 11:27, Maciej Kowalka wrote:
> > wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <
> maciejkowalkati at gmail.com>
> > napisał:
> >
> >> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net>
> napisał:
> >>
> >>> On 08.08.23 07:32, Maciej Kowalka wrote:
> >>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
> >>> maciejkowalkati at gmail.com>
> >>>> napisał:
> >>>>
> >>>>>
> >>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
> >>> aland at deployingradius.com>
> >>>>> napisał:
> >>>>>
> >>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <
> maciejkowalkati at gmail.com
> >>>>
> >>>>>> wrote:
> >>>>>>> Ok, to check if my certificates are not ok I've tried the
> >>> certificates
> >>>>>> that
> >>>>>>> are created during installation of freeradius and I get the same
> >>> warning
> >>>>>>> about the untrusted certs.
> >>>>>>
> >>>>>>     Then something else is going wrong.  The default configuration
> and
> >>>>>> certificates do not use any intermediate certs.  And the server is
> >>>>>> configured to trust the certs.
> >>>>>>
> >>>>>>> Are they supposed to work correctly, without any problems?
> >>>>>>> Or it might be a openssl bug? When I use openssl command to check
> >>>>>>> certificates I get no errors, all are verified "ok".
> >>>>>>
> >>>>>>     Something is broken in your local system.  I don't know what.
> >>>>>>
> >>>>>>     For now, just ignore the errors.
> >>>>>>
> >>>>>>     Alan DeKok.
> >>>>>>
> >>>>>
> >>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I
> get
> >>> the
> >>>>> same warning as on current machine.
> >>>>>
> >>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't get
> eny
> >>>>> warning, even with mine intermediate CA certs.
> >>>>> So I think it might be something with the OS or the radius itself.
> I'll
> >>>>> try running freeradius 3.0 on Ubuntu to check if has the same result.
> >>>>>
> >>>>
> >>>> To summarize, I've tested 4 different Linux systems and freeradius
> >>>> configurations for eap-tls:
> >>>>
> >>>> - Debian 12 and freeradius 3.2.3 default configuration and default
> certs
> >>>> gives warnings,
> >>>>
> >>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with
> >>> stock
> >>>> configuration and certs also gives warnings,
> >>>>
> >>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default
> >>> certs
> >>>> or my certs works without warnings,
> >>>>
> >>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
> >>>>
> >>>> Only on centos 7 I don't get the certificate chain untrusted warning.
> >>>> All the systems are freshly installed with just changed default
> >>>> authentication to eap and added switch to clients.
> >>>>
> >>>> Is the package for Centos in any special way different than the rest?
> >>>
> >>> Each operating system uses a different version of openssl...
> >>>
> >>> Gerald
> >>>
> >>
> >> They do use different openssl version,
> >> Debian - 3.0.9
> >> Ubuntu - 3.0.2
> >> Rocky - 3.0.7
> >> Centos - 1.0.2k later upgraded to 3.0.0
> >>
> >> Can you share what version of openssl should be used? If that makes
> >> difference?
> >>
> >
> > Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same
> > warnings.
> > Now the only difference is the os itself
>
> You are aware, that installing some version and using it are two
> different things? Did you verify that freeradius is actually using that
> version?
>
> -Gerald
>

I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to
the $PATH, run openssl version command and it returned the 1.0.2k version,
I don't know what else could I do.

Maciej

>

More information about the Freeradius-Users mailing list