Certificate chain untrusted

Maciej Kowalka maciejkowalkati at gmail.com
Tue Aug 8 11:08:39 UTC 2023


You might be right, the openssl I installed might not be used by
freeradius, I'm not a Linux expert neither a freeradius expert, I'm just
trying diffent stuff to make it work, currently without success. So if
that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and
3.0.2? That are downloaded with freeradius? Or how do I check the version
of openssl used by freeradius?


wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer at roth.lu> napisał:

> I admit I didn't read the entire history of this thread but running
> openssl via the command line vs using an application (here: freeradius)
> (dynamically) linked against the openssl *libraries* is something very
> different.
>
> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka <
> maciejkowalkati at gmail.com> wrote:
> >wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:
> >
> >> On 08.08.23 11:27, Maciej Kowalka wrote:
> >> > wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <
> >> maciejkowalkati at gmail.com>
> >> > napisał:
> >> >
> >> >> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net>
> >> napisał:
> >> >>
> >> >>> On 08.08.23 07:32, Maciej Kowalka wrote:
> >> >>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
> >> >>> maciejkowalkati at gmail.com>
> >> >>>> napisał:
> >> >>>>
> >> >>>>>
> >> >>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
> >> >>> aland at deployingradius.com>
> >> >>>>> napisał:
> >> >>>>>
> >> >>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <
> >> maciejkowalkati at gmail.com
> >> >>>>
> >> >>>>>> wrote:
> >> >>>>>>> Ok, to check if my certificates are not ok I've tried the
> >> >>> certificates
> >> >>>>>> that
> >> >>>>>>> are created during installation of freeradius and I get the same
> >> >>> warning
> >> >>>>>>> about the untrusted certs.
> >> >>>>>>
> >> >>>>>>     Then something else is going wrong.  The default
> configuration
> >> and
> >> >>>>>> certificates do not use any intermediate certs.  And the server
> is
> >> >>>>>> configured to trust the certs.
> >> >>>>>>
> >> >>>>>>> Are they supposed to work correctly, without any problems?
> >> >>>>>>> Or it might be a openssl bug? When I use openssl command to
> check
> >> >>>>>>> certificates I get no errors, all are verified "ok".
> >> >>>>>>
> >> >>>>>>     Something is broken in your local system.  I don't know what.
> >> >>>>>>
> >> >>>>>>     For now, just ignore the errors.
> >> >>>>>>
> >> >>>>>>     Alan DeKok.
> >> >>>>>>
> >> >>>>>
> >> >>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I
> >> get
> >> >>> the
> >> >>>>> same warning as on current machine.
> >> >>>>>
> >> >>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't
> get
> >> eny
> >> >>>>> warning, even with mine intermediate CA certs.
> >> >>>>> So I think it might be something with the OS or the radius itself.
> >> I'll
> >> >>>>> try running freeradius 3.0 on Ubuntu to check if has the same
> result.
> >> >>>>>
> >> >>>>
> >> >>>> To summarize, I've tested 4 different Linux systems and freeradius
> >> >>>> configurations for eap-tls:
> >> >>>>
> >> >>>> - Debian 12 and freeradius 3.2.3 default configuration and default
> >> certs
> >> >>>> gives warnings,
> >> >>>>
> >> >>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both
> with
> >> >>> stock
> >> >>>> configuration and certs also gives warnings,
> >> >>>>
> >> >>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either
> default
> >> >>> certs
> >> >>>> or my certs works without warnings,
> >> >>>>
> >> >>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
> >> >>>>
> >> >>>> Only on centos 7 I don't get the certificate chain untrusted
> warning.
> >> >>>> All the systems are freshly installed with just changed default
> >> >>>> authentication to eap and added switch to clients.
> >> >>>>
> >> >>>> Is the package for Centos in any special way different than the
> rest?
> >> >>>
> >> >>> Each operating system uses a different version of openssl...
> >> >>>
> >> >>> Gerald
> >> >>>
> >> >>
> >> >> They do use different openssl version,
> >> >> Debian - 3.0.9
> >> >> Ubuntu - 3.0.2
> >> >> Rocky - 3.0.7
> >> >> Centos - 1.0.2k later upgraded to 3.0.0
> >> >>
> >> >> Can you share what version of openssl should be used? If that makes
> >> >> difference?
> >> >>
> >> >
> >> > Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the
> same
> >> > warnings.
> >> > Now the only difference is the os itself
> >>
> >> You are aware, that installing some version and using it are two
> >> different things? Did you verify that freeradius is actually using that
> >> version?
> >>
> >> -Gerald
> >>
> >
> >I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to
> >the $PATH, run openssl version command and it returned the 1.0.2k version,
> >I don't know what else could I do.
> >
> >Maciej
> >
> >>
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list