EAP-TLS unable to get local issuer certificate
MH
h33927318 at gmail.com
Thu Jun 8 05:37:30 UTC 2023
As I wrote in my first post, "openssl verify" command outputs that client
certificate is trusted. I think that without specifying "-CAFile" in
"openssl verify" it looks for trusted CAs in default locations.
So it works with or without -CAFile (i.e default OS system CA store and
custom CA store).
I expect FreeRadius does the same since it uses OpenSSL.
I did run strace on "openssl verify" and I saw very clearly what files are
examined for trusted CAs (it extracts IssuerName from client cert, hash it
and then search for filename with that hash in trusted CA stores).
I tried that same approach with "strace freeradius -fxxx" + "eapol_test
..." and did not find any similar output (just accessing server certificate
and key but not any other *.PEM).
Regarding the debug output: that's it.
All relevant attributes from client certificate are shown and then bump
"Warning: Certificate chain - 1 cert(s) untrusted", "Warning: (TLS)
untrusted certificate with depth 0".
st 7. 6. 2023 o 9:34 Alan DeKok <aland at deployingradius.com> napísal(a):
> On Jun 7, 2023, at 9:28 AM, MH <h33927318 at gmail.com> wrote:
> >
> > But there's already ca_cert in wpa_supplicant configuration.
>
> So there's nothing wrong with the configuration, and it works?
>
> Or, maybe there's something wrong with the configuration. Because it
> doesn't work.
>
> The error is "fatal: unknown CA". The only solution is to make sure
> that the CA is known.
>
> Maybe the problem is that the client certificate is issued by a CA that
> the server doesn't know. It's difficulty to tell, because you've
> "helpfully" removed nearly all of the debug output. The documentation for
> FreeRADIUS says to post all of the debug output. For precisely this reason.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list