Trouble with OCSP

[Alan DeKok]

On Dec 4, 2024, at 11:53 AM, Orion Poplawski <orion at nwra.com> wrote:
> I think it is just having trouble with ocsp checks of certs issued by the older AD CA cert.  Here is a successful check of an IPA issued cert:
> ..
> It also has the message about untrusted certs (although it also mentions the CA cert - so maybe the windows clients don't provide it?), so that does not seem particularly relevant.  I guess the key then is:
> 
> (14) eap_tls: ERROR: ocsp: Couldn't verify OCSP basic response
> 
> But why?  openssl doesn't complain:

  We call an OpenSSL function to do the OCSP verification, and that function returns "failed".  Why?  OpenSSL magic.

  i.e. OpenSSL doesn't give FreeRADIUS any reason why.  There's just a "failed" response.  No error result, nothing useful which we can print.

> $ openssl ocsp -issuer /etc/pki/ca-trust/source/anchors/ad.nwra.com.crt -cert orionad.crt -url http://ocsp.ad.nwra.com/ocsp
> Response verify OK
> orionad.crt: good
>        This Update: Dec  3 17:50:03 2024 GMT
>        Next Update: Dec  5 06:10:03 2024 GMT

  You're passing the issuer here, though.  OpenSSL needs the *entire* certificate chain for verification.  If it only has an intermediate certificate, then it will fail.

  So did you add the issuer certificate to the FreeRADIUS configuration?  i.e. put it into "ca_path".

  Alan DeKok.