Trouble with OCSP

Orion Poplawski orion at nwra.com
Wed Dec 4 16:53:06 UTC 2024 

On 12/4/24 08:03, orion at nwra.com wrote:
> Hello,
> 
> We setup OCSP validation on our FreeRADIUS servers a while back and it 
> had been working great until yesterday when we started seeing errors like:
> 
> Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Alert 
> write:fatal:internal error
> Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Server : 
> Error in error
> Dec 03 14:03:09 radiusd[109894]: (437) eap_tls: ERROR: (TLS) Failed 
> reading from OpenSSL
> Dec 03 14:03:09 radiusd[109894]: (437) Login incorrect (eap_tls: ocsp: 
> Couldn't get OCSP response): [HOSTNAME]
> 
> We discovered some errors on our Windows OCSP responders due to 
> configuration certificates expiring and resolved that.
> 
> 
> However, even after that Windows machines are unable to authenticate. 
> Running in debug mode we see:
> 
>> Certificate chain - 1 cert(s) untrusted
> (TLS) untrusted certificate with depth [0] subject name / 
> CN=staff01.ad.nwra.com
> (14) eap_tls: Starting OCSP Request
> (14) eap_tls: WARNING: (TLS) ocsp: No OCSP URL in certificate, falling 
> back to configured URL
> (14) eap_tls: ocsp: Using responder URL "http://ocsp.ad.nwra.com:80/ocsp/"
> (14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response
> (14) eap_tls: ERROR: (TLS) ocsp: Certificate has been expired/revoked
> (14) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error
> (14) eap_tls: ERROR: (TLS) Alert write:fatal:internal error
> (14) eap_tls: ERROR: (TLS) Server : Error in error
> (14) eap_tls: ERROR: (TLS) Failed reading from OpenSSL
> (14) eap_tls: ERROR: (TLS) error:13800070:OCSP routines::root ca not 
> trusted
> (14) eap_tls: ERROR: (TLS) error:0A000086:SSL routines::certificate 
> verify failed
> (14) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
> (14) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
> (14) eap_tls: ERROR: [eaptls process] = fail
> (14) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module 
> failed
> 
> 
> We have 3 certificates in the FreeRADIUS ca_file configuration - an AD 
> CA cert that is expiring in about 18 months, a new AD CA cert that was 
> issued in October, and an IPA CA cert - and that's been the case since 
> the new AD CA cert was issued.  That should cover all of the 
> certificates issued internally, so I don't see why radiusd is 
> complaining about an untrusted cert.
> 
> Running openssl ocsp checks against the Windows ocsp responders work fine.

I think it is just having trouble with ocsp checks of certs issued by 
the older AD CA cert.  Here is a successful check of an IPA issued cert:

Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name 
/O=NWRA.COM/CN=Certificate Authority
(TLS) untrusted certificate with depth [0] subject name /O=NWRA.COM/CN=FQDN
(6) eap_tls: Starting OCSP Request
(6) eap_tls: ocsp: Using responder URL "http://ipa-ca.nwra.com:80/ca/ocsp"
         This Update: Dec  4 15:50:19 2024 GMT
(6) eap_tls: ocsp: Cert status: good
(6) eap_tls: ocsp: Certificate is valid

It also has the message about untrusted certs (although it also mentions 
the CA cert - so maybe the windows clients don't provide it?), so that 
does not seem particularly relevant.  I guess the key then is:

(14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response

But why?  openssl doesn't complain:

$ openssl ocsp -issuer /etc/pki/ca-trust/source/anchors/ad.nwra.com.crt 
-cert orionad.crt -url http://ocsp.ad.nwra.com/ocsp
Response verify OK
orionad.crt: good
         This Update: Dec  3 17:50:03 2024 GMT
         Next Update: Dec  5 06:10:03 2024 GMT



-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4087 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20241204/1f9850ee/attachment.bin>

More information about the Freeradius-Users mailing list