Failed test with test certificates

Kat Kaz at t-tec.com.au
Wed Jul 9 07:20:48 UTC 2025 


Gday :-)

Each day is a step closer.

Here I am trying to run a test with the the test certificates and am 
failing. I see the positives in the fail in that I am actually 
contacting Freeradius. That's a step forwards.

Any chance of knowing what these error messages mean?

Have I used the wrong certificates in the wrong place?

***
(39) eap: Peer sent EAP Response (code 2) ID 224 length 1344

(39) eap: No EAP Start, assuming it's an on-going EAP conversation

(39)     [eap] = updated

(39)     [files] = noop

(39)     [expiration] = noop

(39)     [logintime] = noop

(39)     [pap] = noop

(39)   } # authorize = updated

(39) Found Auth-Type = eap

(39) # Executing group from file /etc/freeradius/sites-enabled/default

(39)   authenticate {

(39) eap: Removing EAP session with state 0x7724b18972c4bc8c

(39) eap: Previous EAP request found for state 0x7724b18972c4bc8c, 
released from the list

(39) eap: Peer sent packet with method EAP TLS (13)

(39) eap: Calling submodule eap_tls to process data

(39) eap_tls: (TLS) EAP Done initial handshake

(39) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write 
server done

(39) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate

(39) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain

(39) eap_tls:   TLS-Cert-Serial := 
"7b3ac5c50ab5ad8b63570648b1f5642e20c97be2"

(39) eap_tls:   TLS-Cert-Expiration := "250907060222Z"

(39) eap_tls:   TLS-Cert-Valid-Since := "250709060222Z"

(39) eap_tls:   TLS-Cert-Subject := 
"/C=FR/ST=Radius/L=Somewhere/O=Example 
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"

(39) eap_tls:   TLS-Cert-Issuer := 
"/C=FR/ST=Radius/L=Somewhere/O=Example 
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"

(39) eap_tls:   TLS-Cert-Common-Name := "Example Certificate Authority"

(39) eap_tls:   TLS-Cert-CRL-Distribution-Points += 
"http://www.example.org/example_ca.crl"

(39) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain

(39) eap_tls:   TLS-Client-Cert-Serial := "02"

(39) eap_tls:   TLS-Client-Cert-Expiration := "250907060223Z"

(39) eap_tls:   TLS-Client-Cert-Valid-Since := "250709060223Z"

(39) eap_tls:   TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example 
Inc./CN=user at example.org/emailAddress=user at example.org"

(39) eap_tls:   TLS-Client-Cert-Issuer := 
"/C=FR/ST=Radius/L=Somewhere/O=Example 
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority"

(39) eap_tls:   TLS-Client-Cert-Common-Name := "user at example.org"

(39) eap_tls:   TLS-Client-Cert-CRL-Distribution-Points += 
"http://www.example.com/example_ca.crl"

(39) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web 
Client Authentication"

(39) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += 
"6D:00:F5:8E:7C:BB:67:49:12:7A:C1:3F:93:AB:78:A9:68:87:9B:90"

(39) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += 
"E1:9D:14:10:16:D5:9D:4E:CE:42:43:E7:49:3A:5E:74:92:46:07:64"

(39) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += 
"1.3.6.1.5.5.7.3.2"

(39) eap_tls: Verifying client certificate: /usr/bin/openssl verify 
-CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}

(39) eap_tls: Executing: /usr/bin/openssl verify -CApath 
/etc/freeradius/certs %{TLS-Client-Cert-Filename}:

(39) eap_tls: EXPAND %{TLS-Client-Cert-Filename}

(39) eap_tls:    --> /tmp/radiusd/radiusd.client.XXUK9jFp

C = FR, ST = Radius, O = Example Inc., CN = user at example.org, 
emailAddress = user at example.org

error 20 at 0 depth lookup: unable to get local issuer certificate

error /tmp/radiusd/radiusd.client.XXUK9jFp: verification failed

(39) eap_tls: ERROR: Program returned code (2) and output ''

tls: Certificate CN (user at example.org) fails external verification!

(39) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal internal_error

(39) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error

(39) eap_tls: ERROR: (TLS) TLS - Server : Error in error

(39) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: 
error:0A000086:SSL routines::certificate verify failed

(39) eap_tls: ERROR: (TLS) System call (I/O) error (-1)

(39) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation

(39) eap_tls: ERROR: [eaptls process] = fail

(39) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module 
failed

(39) eap: Sending EAP Failure (code 4) ID 224 length 4

(39) eap: Failed in EAP select

(39)     [eap] = invalid

(39)   } # authenticate = invalid

(39) Failed to authenticate the user

(39) Using Post-Auth-Type Reject

(39) # Executing group from file /etc/freeradius/sites-enabled/default

(39)   Post-Auth-Type REJECT {

(39) attr_filter.access_reject: EXPAND %{User-Name}

(39) attr_filter.access_reject:    --> user at example.org

(39) attr_filter.access_reject: Matched entry DEFAULT at line 11

(39)     [attr_filter.access_reject] = updated

(39)     [eap] = noop

(39)     policy remove_reply_message_if_eap {

(39)       if (&reply:EAP-Message && &reply:Reply-Message) {

(39)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(39)       else {

(39)         [noop] = noop

(39)       } # else = noop

(39)     } # policy remove_reply_message_if_eap = noop

(39)   } # Post-Auth-Type REJECT = updated

(39) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(39) Sending delayed response

(39) Sent Access-Reject Id 46 from 172.17.0.5:1812 to 172.17.0.1:34232 
length 44

(39)   EAP-Message = 0x04e00004

(39)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 0.1 seconds.

(26) Cleaning up request packet ID 33 with timestamp +49 due to 
cleanup_delay was reached

(27) Cleaning up request packet ID 34 with timestamp +49 due to 
cleanup_delay was reached

(28) Cleaning up request packet ID 35 with timestamp +49 due to 
cleanup_delay was reached

(29) Cleaning up request packet ID 36 with timestamp +49 due to 
cleanup_delay was reached

(30) Cleaning up request packet ID 37 with timestamp +49 due to 
cleanup_delay was reached

(31) Cleaning up request packet ID 38 with timestamp +49 due to 
cleanup_delay was reached

(32) Cleaning up request packet ID 39 with timestamp +49 due to 
cleanup_delay was reached

Waking up in 3.6 seconds.

(33) Cleaning up request packet ID 40 with timestamp +53 due to 
cleanup_delay was reached

(34) Cleaning up request packet ID 41 with timestamp +53 due to 
cleanup_delay was reached

(35) Cleaning up request packet ID 42 with timestamp +53 due to 
cleanup_delay was reached

(36) Cleaning up request packet ID 43 with timestamp +53 due to 
cleanup_delay was reached

(37) Cleaning up request packet ID 44 with timestamp +53 due to 
cleanup_delay was reached

(38) Cleaning up request packet ID 45 with timestamp +53 due to 
cleanup_delay was reached

(39) Cleaning up request packet ID 46 with timestamp +53 due to 
cleanup_delay was reached

Ready to process requests

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20250709/dc37e073/attachment-0001.sig>

More information about the Freeradius-Users mailing list