Problem verifying EAP-TLS certificates (untrusted warning)
Alexey D. Filimonov
alexey at filimonic.net
Tue Nov 5 19:46:34 UTC 2024
I have a problem with warning about "untrusted certificate" and
rejecting if set "reject_unknown_intermediate_ca = yes".
Could you help me solving this issue?
In short, this is the problem:
> Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s)
untrusted
> Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with
depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate
Authority
> Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with
depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
I have One-Tier PKI.
On FreeRADIUS server I copied client certificate and CA to /tmp/certs:
802_1x.crt and 802_1x.ca.crt .
On FreeRADIUS server I have server certificate issued by the same CA.
To check certificates I run commands under same user FreeRADIUS runs:
`su freerad -s /bin/bash`.
Check if both CAs same
```
freerad at radius2:/root$ md5sum /tmp/certs/802_1x.ca.crt
/etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt
e65a3b9362b313ed3a10a3ce4a3588e5 /tmp/certs/802_1x.ca.crt
e65a3b9362b313ed3a10a3ce4a3588e5
/etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt
```
Check if both CAs are self-signed and same:
```
freerad at radius2:/root$ openssl x509 -noout -text -in
/etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt | grep -A1 'Key
Identifier'
X509v3 Subject Key Identifier:
CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79
X509v3 Authority Key Identifier:
CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79
freerad at radius2:/root$ openssl x509 -noout -text -in
/tmp/certs/802_1x.ca.crt | grep -A1 'Key Identifier'
X509v3 Subject Key Identifier:
CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79
X509v3 Authority Key Identifier:
CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79
```
Check if client and server certificate is issued by this CA:
```
freerad at radius2:/root$ openssl x509 -noout -text -in
/tmp/certs/802_1x.crt | grep -A1 'Authority Key Identifier'
X509v3 Authority Key Identifier:
CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79
freerad at radius2:/root$ openssl x509 -noout -text -in
/etc/freeradius/3.0/tls/certs/wifi.crt | grep -A1 'Authority Key Identifier'
X509v3 Authority Key Identifier:
CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79
```
Check if client both client and server certificates are issued by same
CA (here I see "untrusted"):
```
freerad at radius2:/root$ openssl verify -verbose -crl_download
-crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains
-check_ss_sig -CAfile /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt
-CApath /etc/freeradius/3.0/tls/certs/ca/wifi /tmp/certs/802_1x.crt
/tmp/certs/802_1x.crt: OK
Chain:
depth=0: O = OD.FREEIPA.XYZ, CN = rpi4b.od.freeipa.xyz (untrusted)
depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority
freerad at radius2:/root$ openssl verify -verbose -crl_download
-crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains
-check_ss_sig -CAfile /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt
-CApath /etc/freeradius/3.0/tls/certs/ca/wifi
/etc/freeradius/3.0/tls/certs/wifi.crt
/etc/freeradius/3.0/tls/certs/wifi.crt: OK
Chain:
depth=0: O = OD.FREEIPA.XYZ, CN = radius2.od.freeipa.xyz (untrusted)
depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority
```
Copied (under root) to ca store and run `c_rehash /etc/ssl/certs`. Found
that my CA cert is already here.
```
root at radius2:~# mkdir /usr/share/ca-certificates/wifi
root at radius2:~# cp /etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt
/usr/share/ca-certificates/wifi
root at radius2:~# chmod -R 755 /usr/share/ca-certificates/wifi
root at radius2:~# ls -laR /usr/share/ca-certificates/wifi
/usr/share/ca-certificates/wifi:
total 12
drwxr-xr-x 2 root root 4096 Nov 5 21:44 .
drwxr-xr-x 4 root root 4096 Nov 5 21:43 ..
-rwxr-xr-x 1 root root 1598 Nov 5 21:44 wifi.ca.crt
root at radius2:~# ln -s /usr/share/ca-certificates/wifi/wifi.ca.crt
/etc/ssl/certs/wifi.ca.crt
root at radius2:~# ls -la /etc/ssl/certs/wifi.ca.crt
lrwxrwxrwx 1 root root 43 Nov 5 21:46 /etc/ssl/certs/wifi.ca.crt ->
/usr/share/ca-certificates/wifi/wifi.ca.crt
root at radius2:~# c_rehash /etc/ssl/certs
Doing /etc/ssl/certs
WARNING: Skipping duplicate certificate ca-certificates.crt
WARNING: Skipping duplicate certificate ca-certificates.crt
WARNING: Skipping duplicate certificate wifi.ca.crt
WARNING: Skipping duplicate certificate wifi.ca.crt
```
Still no luck.
Run `c_rehash /etc/freeradius/3.0/tls/certs/ca/wifi` (this is where
wifi.ca.crt is also added) and added `ca_path =
"/etc/freeradius/3.0/tls/certs/ca/wifi"`
```
root at radius2:~# ls -laR /etc/freeradius/3.0/tls/certs/ca/wifi/
/etc/freeradius/3.0/tls/certs/ca/wifi/:
total 12
drwxr-xr-x 2 freerad freerad 4096 Nov 5 21:48 .
drwxr-xr-x 3 freerad freerad 4096 Nov 5 20:32 ..
lrwxrwxrwx 1 root root 11 Nov 5 21:48 577f4bb3.0 -> wifi.ca.crt
lrwxrwxrwx 1 root root 11 Nov 5 21:48 ed3eb11a.0 -> wifi.ca.crt
-rwxr-xr-x 1 freerad freerad 1598 Nov 5 20:34 wifi.ca.crt
```
Still no luck.
This is my EAP config:
```
# /etc/freeradius/3.0/mods-available/eap_wifi
eap eap_wifi {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls_eap_wifi {
private_key_file = "/etc/freeradius/3.0/tls/private/wifi.key"
certificate_file = "/etc/freeradius/3.0/tls/certs/wifi.crt"
ca_file = "/etc/freeradius/3.0/tls/certs/ca/wifi/wifi.ca.crt"
ca_path = "/etc/freeradius/3.0/tls/certs/ca/wifi"
auto_chain = yes
cipher_list = "HIGH"
check_crl = no
check_all_crl = no
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = "prime256v1"
reject_unknown_intermediate_ca = yes
}
tls {
tls = tls_eap_wifi
configurable_client_cert = no
}
}
```
This is part of `freeradius -X` log:
```
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/wifi
> (7) Auth-Type eap_wifi {
> (7) eap_wifi: Expiring EAP session with state 0xe7b966f3e1e06b16
> (7) eap_wifi: Finished EAP session with state 0xe7b966f3e1e06b16
> (7) eap_wifi: Previous EAP request found for state
0xe7b966f3e1e06b16, released from the list
> (7) eap_wifi: Peer sent packet with method EAP TLS (13)
> (7) eap_wifi: Calling submodule eap_tls to process data
> (7) eap_tls: (TLS) EAP Got final fragment (321 bytes)
> (7) eap_tls: (TLS) EAP Done initial handshake
> (7) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (7) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
> (7) eap_tls: (TLS) Creating attributes from server certificate
> (7) eap_tls: TLS-Cert-Serial := "01"
> (7) eap_tls: TLS-Cert-Expiration := "441018201402Z"
> (7) eap_tls: TLS-Cert-Valid-Since := "241018201402Z"
> (7) eap_tls: TLS-Cert-Subject :=
"/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority"
> (7) eap_tls: TLS-Cert-Issuer :=
"/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority"
> (7) eap_tls: TLS-Cert-Common-Name := "OD.FREEIPA.XYZ Certificate
Authority"
> (7) eap_tls: (TLS) Creating attributes from client certificate
> (7) eap_tls: TLS-Client-Cert-Serial := "22"
> (7) eap_tls: TLS-Client-Cert-Expiration := "250104182310Z"
> (7) eap_tls: TLS-Client-Cert-Valid-Since := "241105182310Z"
> (7) eap_tls: TLS-Client-Cert-Subject :=
"/O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz"
> (7) eap_tls: TLS-Client-Cert-Issuer :=
"/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority"
> (7) eap_tls: TLS-Client-Cert-Common-Name := "rpi4b.od.freeipa.xyz"
> (7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns :=
"rpi4b.od.freeipa.xyz"
> (7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Upn :=
"host/rpi4b.od.freeipa.xyz at OD.FREEIPA.XYZ"
> (7) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"CD:4B:3C:31:60:D9:81:22:75:1B:47:4E:50:AB:3B:FB:5A:68:85:79"
> (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication, 1.3.6.1.5.5.7.3.14"
> (7) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"F1:BC:FD:76:AC:E4:92:AD:A1:82:81:79:25:CC:1D:09:63:15:C9:00"
> (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
> (7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.14"
> Certificate chain - 1 cert(s) untrusted
> (TLS) untrusted certificate with depth [1] subject name
/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority
> (TLS) untrusted certificate with depth [0] subject name
/O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
> tls: There are untrusted certificates in the certificate chain.
Rejecting.
> (7) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error
> (7) eap_tls: ERROR: (TLS) Alert write:fatal:internal error
> (7) eap_tls: ERROR: (TLS) Server : Error in error
> (7) eap_tls: ERROR: (TLS) Failed reading from OpenSSL:
error:0A000086:SSL routines::certificate verify failed
> (7) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
> (7) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
> (7) eap_tls: ERROR: [eaptls process] = fail
> (7) eap_wifi: ERROR: Failed continuing EAP TLS (13) session. EAP
sub-module failed
> (7) eap_wifi: Sending EAP Failure (code 4) ID 89 length 4
> (7) eap_wifi: Failed in EAP select
> (7) [eap_wifi] = invalid
```
The piece around warning when `freeradius -X -xx` is used:
```
...
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls:
TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.14"
Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted
Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with
depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate
Authority
Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with
depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
Tue Nov 5 22:37:37 2024 : Auth: tls: There are untrusted certificates
in the certificate chain. Rejecting.
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) chain-depth : 0
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) error : 0
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: identity :
anonymous-od-type-a
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) common name :
rpi4b.od.freeipa.xyz
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) subject :
/O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) issuer :
/O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) verify return : 0
Tue Nov 5 22:37:37 2024 : Debug: (TLS) Ignoring cbtls_msg call with
pseudo content type 256, version 771
Tue Nov 5 22:37:37 2024 : Debug: (TLS) Received 2 bytes of TLS data
Tue Nov 5 22:37:37 2024 : Debug: (TLS) 02 50
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_tls: (TLS) send TLS 1.2
Alert, fatal internal_error
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Alert
write:fatal:internal error
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Server : Error in
error
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) Failed reading
from OpenSSL: ../ssl/statem/statem_srvr.c[3522]:error: :SSL
routines::certificate verify failed
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) System call (I/O)
error (-1)
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: (TLS) EAP Receive
handshake failed during operation
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_tls: [eaptls process] = fail
Tue Nov 5 22:37:37 2024 : ERROR: (15) eap_wifi: Failed continuing EAP
TLS (13) session. EAP sub-module failed
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_wifi: Sending EAP Failure
(code 4) ID 98 length 4
Tue Nov 5 22:37:37 2024 : Debug: (15) eap_wifi: Failed in EAP select
Tue Nov 5 22:37:37 2024 : Debug: (15) modsingle[authenticate]:
returned from eap_wifi (rlm_eap)
Tue Nov 5 22:37:37 2024 : Debug: (15) [eap_wifi] = invalid
...
```
More information about the Freeradius-Users
mailing list