Certificate chain untrusted

Tue Aug 8 11:42:23 UTC 2023

It returned libssl.so.3 so I assume it still uses the original openssl.
That's unfortunate. Any other ideas what to check/change?

Maciej

wt., 8 sie 2023, 13:22 użytkownik Coy Hile <coy.hile at coyhile.com> napisał:

> Try ldd on the binary? To use a nonstandard path for those libraries may
> require option passed to configure
>
> -c
>
> Sent from my iPhone
>
> > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati at gmail.com>
> wrote:
> >
> > You might be right, the openssl I installed might not be used by
> > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just
> > trying diffent stuff to make it work, currently without success. So if
> > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and
> > 3.0.2? That are downloaded with freeradius? Or how do I check the version
> > of openssl used by freeradius?
> >
> >
> > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer at roth.lu>
> napisał:
> >
> >> I admit I didn't read the entire history of this thread but running
> >> openssl via the command line vs using an application (here: freeradius)
> >> (dynamically) linked against the openssl *libraries* is something very
> >> different.
> >>
> >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka <
> >>> maciejkowalkati at gmail.com> wrote:
> >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt at spamcop.net>
> napisał:
> >>>
> >>>> On 08.08.23 11:27, Maciej Kowalka wrote:
> >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <
> >>>> maciejkowalkati at gmail.com>
> >>>>> napisał:
> >>>>>
> >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net>
> >>>> napisał:
> >>>>>>
> >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote:
> >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
> >>>>>>> maciejkowalkati at gmail.com>
> >>>>>>>> napisał:
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
> >>>>>>> aland at deployingradius.com>
> >>>>>>>>> napisał:
> >>>>>>>>>
> >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <
> >>>> maciejkowalkati at gmail.com
> >>>>>>>>
> >>>>>>>>>> wrote:
> >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the
> >>>>>>> certificates
> >>>>>>>>>> that
> >>>>>>>>>>> are created during installation of freeradius and I get the
> same
> >>>>>>> warning
> >>>>>>>>>>> about the untrusted certs.
> >>>>>>>>>>
> >>>>>>>>>>    Then something else is going wrong.  The default
> >> configuration
> >>>> and
> >>>>>>>>>> certificates do not use any intermediate certs.  And the server
> >> is
> >>>>>>>>>> configured to trust the certs.
> >>>>>>>>>>
> >>>>>>>>>>> Are they supposed to work correctly, without any problems?
> >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to
> >> check
> >>>>>>>>>>> certificates I get no errors, all are verified "ok".
> >>>>>>>>>>
> >>>>>>>>>>    Something is broken in your local system.  I don't know what.
> >>>>>>>>>>
> >>>>>>>>>>    For now, just ignore the errors.
> >>>>>>>>>>
> >>>>>>>>>>    Alan DeKok.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and
> I
> >>>> get
> >>>>>>> the
> >>>>>>>>> same warning as on current machine.
> >>>>>>>>>
> >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't
> >> get
> >>>> eny
> >>>>>>>>> warning, even with mine intermediate CA certs.
> >>>>>>>>> So I think it might be something with the OS or the radius
> itself.
> >>>> I'll
> >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same
> >> result.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> To summarize, I've tested 4 different Linux systems and freeradius
> >>>>>>>> configurations for eap-tls:
> >>>>>>>>
> >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and default
> >>>> certs
> >>>>>>>> gives warnings,
> >>>>>>>>
> >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both
> >> with
> >>>>>>> stock
> >>>>>>>> configuration and certs also gives warnings,
> >>>>>>>>
> >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either
> >> default
> >>>>>>> certs
> >>>>>>>> or my certs works without warnings,
> >>>>>>>>
> >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
> >>>>>>>>
> >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted
> >> warning.
> >>>>>>>> All the systems are freshly installed with just changed default
> >>>>>>>> authentication to eap and added switch to clients.
> >>>>>>>>
> >>>>>>>> Is the package for Centos in any special way different than the
> >> rest?
> >>>>>>>
> >>>>>>> Each operating system uses a different version of openssl...
> >>>>>>>
> >>>>>>> Gerald
> >>>>>>>
> >>>>>>
> >>>>>> They do use different openssl version,
> >>>>>> Debian - 3.0.9
> >>>>>> Ubuntu - 3.0.2
> >>>>>> Rocky - 3.0.7
> >>>>>> Centos - 1.0.2k later upgraded to 3.0.0
> >>>>>>
> >>>>>> Can you share what version of openssl should be used? If that makes
> >>>>>> difference?
> >>>>>>
> >>>>>
> >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the
> >> same
> >>>>> warnings.
> >>>>> Now the only difference is the os itself
> >>>>
> >>>> You are aware, that installing some version and using it are two
> >>>> different things? Did you verify that freeradius is actually using
> that
> >>>> version?
> >>>>
> >>>> -Gerald
> >>>>
> >>>
> >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2
> one to
> >>> the $PATH, run openssl version command and it returned the 1.0.2k
> version,
> >>> I don't know what else could I do.
> >>>
> >>> Maciej
> >>>
> >>>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>