Certificate chain untrusted

Coy Hile coy.hile at coyhile.com
Tue Aug 8 11:22:12 UTC 2023


Try ldd on the binary? To use a nonstandard path for those libraries may require option passed to configure 

-c

Sent from my iPhone

> On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati at gmail.com> wrote:
> 
> You might be right, the openssl I installed might not be used by
> freeradius, I'm not a Linux expert neither a freeradius expert, I'm just
> trying diffent stuff to make it work, currently without success. So if
> that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and
> 3.0.2? That are downloaded with freeradius? Or how do I check the version
> of openssl used by freeradius?
> 
> 
> wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer at roth.lu> napisał:
> 
>> I admit I didn't read the entire history of this thread but running
>> openssl via the command line vs using an application (here: freeradius)
>> (dynamically) linked against the openssl *libraries* is something very
>> different.
>> 
>>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka <
>>> maciejkowalkati at gmail.com> wrote:
>>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt at spamcop.net> napisał:
>>> 
>>>> On 08.08.23 11:27, Maciej Kowalka wrote:
>>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <
>>>> maciejkowalkati at gmail.com>
>>>>> napisał:
>>>>> 
>>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net>
>>>> napisał:
>>>>>> 
>>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote:
>>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
>>>>>>> maciejkowalkati at gmail.com>
>>>>>>>> napisał:
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
>>>>>>> aland at deployingradius.com>
>>>>>>>>> napisał:
>>>>>>>>> 
>>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <
>>>> maciejkowalkati at gmail.com
>>>>>>>> 
>>>>>>>>>> wrote:
>>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the
>>>>>>> certificates
>>>>>>>>>> that
>>>>>>>>>>> are created during installation of freeradius and I get the same
>>>>>>> warning
>>>>>>>>>>> about the untrusted certs.
>>>>>>>>>> 
>>>>>>>>>>    Then something else is going wrong.  The default
>> configuration
>>>> and
>>>>>>>>>> certificates do not use any intermediate certs.  And the server
>> is
>>>>>>>>>> configured to trust the certs.
>>>>>>>>>> 
>>>>>>>>>>> Are they supposed to work correctly, without any problems?
>>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to
>> check
>>>>>>>>>>> certificates I get no errors, all are verified "ok".
>>>>>>>>>> 
>>>>>>>>>>    Something is broken in your local system.  I don't know what.
>>>>>>>>>> 
>>>>>>>>>>    For now, just ignore the errors.
>>>>>>>>>> 
>>>>>>>>>>    Alan DeKok.
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I
>>>> get
>>>>>>> the
>>>>>>>>> same warning as on current machine.
>>>>>>>>> 
>>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't
>> get
>>>> eny
>>>>>>>>> warning, even with mine intermediate CA certs.
>>>>>>>>> So I think it might be something with the OS or the radius itself.
>>>> I'll
>>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same
>> result.
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> To summarize, I've tested 4 different Linux systems and freeradius
>>>>>>>> configurations for eap-tls:
>>>>>>>> 
>>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and default
>>>> certs
>>>>>>>> gives warnings,
>>>>>>>> 
>>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both
>> with
>>>>>>> stock
>>>>>>>> configuration and certs also gives warnings,
>>>>>>>> 
>>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either
>> default
>>>>>>> certs
>>>>>>>> or my certs works without warnings,
>>>>>>>> 
>>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
>>>>>>>> 
>>>>>>>> Only on centos 7 I don't get the certificate chain untrusted
>> warning.
>>>>>>>> All the systems are freshly installed with just changed default
>>>>>>>> authentication to eap and added switch to clients.
>>>>>>>> 
>>>>>>>> Is the package for Centos in any special way different than the
>> rest?
>>>>>>> 
>>>>>>> Each operating system uses a different version of openssl...
>>>>>>> 
>>>>>>> Gerald
>>>>>>> 
>>>>>> 
>>>>>> They do use different openssl version,
>>>>>> Debian - 3.0.9
>>>>>> Ubuntu - 3.0.2
>>>>>> Rocky - 3.0.7
>>>>>> Centos - 1.0.2k later upgraded to 3.0.0
>>>>>> 
>>>>>> Can you share what version of openssl should be used? If that makes
>>>>>> difference?
>>>>>> 
>>>>> 
>>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the
>> same
>>>>> warnings.
>>>>> Now the only difference is the os itself
>>>> 
>>>> You are aware, that installing some version and using it are two
>>>> different things? Did you verify that freeradius is actually using that
>>>> version?
>>>> 
>>>> -Gerald
>>>> 
>>> 
>>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to
>>> the $PATH, run openssl version command and it returned the 1.0.2k version,
>>> I don't know what else could I do.
>>> 
>>> Maciej
>>> 
>>>> 
>>> -
>>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list