Certificate chain untrusted

Tue Aug 8 10:46:14 UTC 2023

I admit I didn't read the entire history of this thread but running openssl via the command line vs using an application (here: freeradius) (dynamically) linked against the openssl *libraries* is something very different. 

On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka <maciejkowalkati at gmail.com> wrote:
>wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:
>
>> On 08.08.23 11:27, Maciej Kowalka wrote:
>> > wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <
>> maciejkowalkati at gmail.com>
>> > napisał:
>> >
>> >> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net>
>> napisał:
>> >>
>> >>> On 08.08.23 07:32, Maciej Kowalka wrote:
>> >>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
>> >>> maciejkowalkati at gmail.com>
>> >>>> napisał:
>> >>>>
>> >>>>>
>> >>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
>> >>> aland at deployingradius.com>
>> >>>>> napisał:
>> >>>>>
>> >>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <
>> maciejkowalkati at gmail.com
>> >>>>
>> >>>>>> wrote:
>> >>>>>>> Ok, to check if my certificates are not ok I've tried the
>> >>> certificates
>> >>>>>> that
>> >>>>>>> are created during installation of freeradius and I get the same
>> >>> warning
>> >>>>>>> about the untrusted certs.
>> >>>>>>
>> >>>>>>     Then something else is going wrong.  The default configuration
>> and
>> >>>>>> certificates do not use any intermediate certs.  And the server is
>> >>>>>> configured to trust the certs.
>> >>>>>>
>> >>>>>>> Are they supposed to work correctly, without any problems?
>> >>>>>>> Or it might be a openssl bug? When I use openssl command to check
>> >>>>>>> certificates I get no errors, all are verified "ok".
>> >>>>>>
>> >>>>>>     Something is broken in your local system.  I don't know what.
>> >>>>>>
>> >>>>>>     For now, just ignore the errors.
>> >>>>>>
>> >>>>>>     Alan DeKok.
>> >>>>>>
>> >>>>>
>> >>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I
>> get
>> >>> the
>> >>>>> same warning as on current machine.
>> >>>>>
>> >>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't get
>> eny
>> >>>>> warning, even with mine intermediate CA certs.
>> >>>>> So I think it might be something with the OS or the radius itself.
>> I'll
>> >>>>> try running freeradius 3.0 on Ubuntu to check if has the same result.
>> >>>>>
>> >>>>
>> >>>> To summarize, I've tested 4 different Linux systems and freeradius
>> >>>> configurations for eap-tls:
>> >>>>
>> >>>> - Debian 12 and freeradius 3.2.3 default configuration and default
>> certs
>> >>>> gives warnings,
>> >>>>
>> >>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with
>> >>> stock
>> >>>> configuration and certs also gives warnings,
>> >>>>
>> >>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default
>> >>> certs
>> >>>> or my certs works without warnings,
>> >>>>
>> >>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
>> >>>>
>> >>>> Only on centos 7 I don't get the certificate chain untrusted warning.
>> >>>> All the systems are freshly installed with just changed default
>> >>>> authentication to eap and added switch to clients.
>> >>>>
>> >>>> Is the package for Centos in any special way different than the rest?
>> >>>
>> >>> Each operating system uses a different version of openssl...
>> >>>
>> >>> Gerald
>> >>>
>> >>
>> >> They do use different openssl version,
>> >> Debian - 3.0.9
>> >> Ubuntu - 3.0.2
>> >> Rocky - 3.0.7
>> >> Centos - 1.0.2k later upgraded to 3.0.0
>> >>
>> >> Can you share what version of openssl should be used? If that makes
>> >> difference?
>> >>
>> >
>> > Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same
>> > warnings.
>> > Now the only difference is the os itself
>>
>> You are aware, that installing some version and using it are two
>> different things? Did you verify that freeradius is actually using that
>> version?
>>
>> -Gerald
>>
>
>I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to
>the $PATH, run openssl version command and it returned the 1.0.2k version,
>I don't know what else could I do.
>
>Maciej
>
>>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html