Certificate chain untrusted

Thu Aug 10 08:31:58 UTC 2023

Can anyone po it me to where from is the openssl command and files passed
from freeradius to openssl when it does it's verification, maybe the it's
using wrong syntax or the files are not passed correctly so the openssl
doesn't acknowledge their existence.

Maciej

wt., 8 sie 2023, 13:42 użytkownik Maciej Kowalka <maciejkowalkati at gmail.com>
napisał:

> It returned libssl.so.3 so I assume it still uses the original openssl.
> That's unfortunate. Any other ideas what to check/change?
>
> Maciej
>
> wt., 8 sie 2023, 13:22 użytkownik Coy Hile <coy.hile at coyhile.com> napisał:
>
>> Try ldd on the binary? To use a nonstandard path for those libraries may
>> require option passed to configure
>>
>> -c
>>
>> Sent from my iPhone
>>
>> > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati at gmail.com>
>> wrote:
>> >
>> > You might be right, the openssl I installed might not be used by
>> > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just
>> > trying diffent stuff to make it work, currently without success. So if
>> > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and
>> > 3.0.2? That are downloaded with freeradius? Or how do I check the
>> version
>> > of openssl used by freeradius?
>> >
>> >
>> > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer at roth.lu>
>> napisał:
>> >
>> >> I admit I didn't read the entire history of this thread but running
>> >> openssl via the command line vs using an application (here: freeradius)
>> >> (dynamically) linked against the openssl *libraries* is something very
>> >> different.
>> >>
>> >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka <
>> >>> maciejkowalkati at gmail.com> wrote:
>> >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt at spamcop.net>
>> napisał:
>> >>>
>> >>>> On 08.08.23 11:27, Maciej Kowalka wrote:
>> >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <
>> >>>> maciejkowalkati at gmail.com>
>> >>>>> napisał:
>> >>>>>
>> >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt at spamcop.net>
>> >>>> napisał:
>> >>>>>>
>> >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote:
>> >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <
>> >>>>>>> maciejkowalkati at gmail.com>
>> >>>>>>>> napisał:
>> >>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
>> >>>>>>> aland at deployingradius.com>
>> >>>>>>>>> napisał:
>> >>>>>>>>>
>> >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <
>> >>>> maciejkowalkati at gmail.com
>> >>>>>>>>
>> >>>>>>>>>> wrote:
>> >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the
>> >>>>>>> certificates
>> >>>>>>>>>> that
>> >>>>>>>>>>> are created during installation of freeradius and I get the
>> same
>> >>>>>>> warning
>> >>>>>>>>>>> about the untrusted certs.
>> >>>>>>>>>>
>> >>>>>>>>>>    Then something else is going wrong.  The default
>> >> configuration
>> >>>> and
>> >>>>>>>>>> certificates do not use any intermediate certs.  And the server
>> >> is
>> >>>>>>>>>> configured to trust the certs.
>> >>>>>>>>>>
>> >>>>>>>>>>> Are they supposed to work correctly, without any problems?
>> >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to
>> >> check
>> >>>>>>>>>>> certificates I get no errors, all are verified "ok".
>> >>>>>>>>>>
>> >>>>>>>>>>    Something is broken in your local system.  I don't know
>> what.
>> >>>>>>>>>>
>> >>>>>>>>>>    For now, just ignore the errors.
>> >>>>>>>>>>
>> >>>>>>>>>>    Alan DeKok.
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3
>> and I
>> >>>> get
>> >>>>>>> the
>> >>>>>>>>> same warning as on current machine.
>> >>>>>>>>>
>> >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't
>> >> get
>> >>>> eny
>> >>>>>>>>> warning, even with mine intermediate CA certs.
>> >>>>>>>>> So I think it might be something with the OS or the radius
>> itself.
>> >>>> I'll
>> >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same
>> >> result.
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>> To summarize, I've tested 4 different Linux systems and
>> freeradius
>> >>>>>>>> configurations for eap-tls:
>> >>>>>>>>
>> >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and
>> default
>> >>>> certs
>> >>>>>>>> gives warnings,
>> >>>>>>>>
>> >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both
>> >> with
>> >>>>>>> stock
>> >>>>>>>> configuration and certs also gives warnings,
>> >>>>>>>>
>> >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either
>> >> default
>> >>>>>>> certs
>> >>>>>>>> or my certs works without warnings,
>> >>>>>>>>
>> >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
>> >>>>>>>>
>> >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted
>> >> warning.
>> >>>>>>>> All the systems are freshly installed with just changed default
>> >>>>>>>> authentication to eap and added switch to clients.
>> >>>>>>>>
>> >>>>>>>> Is the package for Centos in any special way different than the
>> >> rest?
>> >>>>>>>
>> >>>>>>> Each operating system uses a different version of openssl...
>> >>>>>>>
>> >>>>>>> Gerald
>> >>>>>>>
>> >>>>>>
>> >>>>>> They do use different openssl version,
>> >>>>>> Debian - 3.0.9
>> >>>>>> Ubuntu - 3.0.2
>> >>>>>> Rocky - 3.0.7
>> >>>>>> Centos - 1.0.2k later upgraded to 3.0.0
>> >>>>>>
>> >>>>>> Can you share what version of openssl should be used? If that makes
>> >>>>>> difference?
>> >>>>>>
>> >>>>>
>> >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the
>> >> same
>> >>>>> warnings.
>> >>>>> Now the only difference is the os itself
>> >>>>
>> >>>> You are aware, that installing some version and using it are two
>> >>>> different things? Did you verify that freeradius is actually using
>> that
>> >>>> version?
>> >>>>
>> >>>> -Gerald
>> >>>>
>> >>>
>> >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2
>> one to
>> >>> the $PATH, run openssl version command and it returned the 1.0.2k
>> version,
>> >>> I don't know what else could I do.
>> >>>
>> >>> Maciej
>> >>>
>> >>>>
>> >>> -
>> >>> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> >>
>> > -
>> > List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>