EAP-TLS certificate untrusted
Etienne Muesse
etienne.muesse at wi-ag.de
Fri Sep 27 06:30:03 UTC 2024
Hi all,
I am trying to use freeradius with EAP-TLS but the client certificates
are not trusted.
We are using client certificates which are signed by our internal CA
(signing chain is: client <- int-ca <- root-ca)
Here is what I did:
- Put the root CA and intermediate CA into "ca_path".
- Set server.pem (issued by intermediate CA)
- Set key.pem
- Disable CRL/OCSP checks (for testing).
The result when a client connects:
/Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [2] subject name [ROOT CA
CERTIFICATE]
(TLS) untrusted certificate with depth [1] subject name [INT CA CERTIFICATE]
(TLS) untrusted certificate with depth [0] subject name [CLIENT CERTIFICATE]
tls: There are untrusted certificates in the certificate chain. Rejecting.
(12) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error
(12) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL:
error:0A000086:SSL routines::certificate verify failed
(12) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(12) eap_tls: ERROR: [eaptls process] = fail/
I also tried to chain the CA files or put the whole chain into the
client certificate.
When I try to verify with openssl, it works fine:
openssl verify -CApath certs/ca certs/client.pem
Using FreeRADIUS Version 3.2.4
Am I missing something?
Best regards,
Etienne
More information about the Freeradius-Users
mailing list