Trouble with OCSP

Orion Poplawski orion at nwra.com
Wed Dec 4 15:03:31 UTC 2024 

Hello,

We setup OCSP validation on our FreeRADIUS servers a while back and it 
had been working great until yesterday when we started seeing errors like:

Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Alert 
write:fatal:internal error
Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Server : 
Error in error
Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Failed 
reading from OpenSSL
Dec 03 14:03:09 radiusd[109894]: (437) Login incorrect (eap_tls: ocsp: 
Couldn't get OCSP response): [HOSTNAME]

We discovered some errors on our Windows OCSP responders due to 
configuration certificates expiring and resolved that.


However, even after that Windows machines are unable to authenticate. 
Running in debug mode we see:


Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name 
/CN=staff01.ad.nwra.com
(14) eap_tls: Starting OCSP Request
(14) eap_tls: WARNING: (TLS) ocsp: No OCSP URL in certificate, falling 
back to configured URL
(14) eap_tls: ocsp: Using responder URL "http://ocsp.ad.nwra.com:80/ocsp/"
(14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response
(14) eap_tls: ERROR: (TLS) ocsp: Certificate has been expired/revoked
(14) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error
(14) eap_tls: ERROR: (TLS) Alert write:fatal:internal error
(14) eap_tls: ERROR: (TLS) Server : Error in error
(14) eap_tls: ERROR: (TLS) Failed reading from OpenSSL
(14) eap_tls: ERROR: (TLS) error:13800070:OCSP routines::root ca not trusted
(14) eap_tls: ERROR: (TLS) error:0A000086:SSL routines::certificate 
verify failed
(14) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(14) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(14) eap_tls: ERROR: [eaptls process] = fail
(14) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module 
failed


We have 3 certificates in the FreeRADIUS ca_file configuration - an AD 
CA cert that is expiring in about 18 months, a new AD CA cert that was 
issued in October, and an IPA CA cert - and that's been the case since 
the new AD CA cert was issued.  That should cover all of the 
certificates issued internally, so I don't see why radiusd is 
complaining about an untrusted cert.

Running openssl ocsp checks against the Windows ocsp responders work fine.

I'm at a loss.  Any ideas, things to check?

ocsp config is simply enable = yes, and specifying the url fallback 
shown above.

This is with

freeradius-3.0.20-15.module_el8.10.0+3873+5b7fed0f.x86_64
freeradius-3.0.21-40.el9_4.x86_64


-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4087 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20241204/69a1fd3b/attachment.bin>

More information about the Freeradius-Users mailing list