Certificate validation in rest module fails
Alan DeKok
alan.dekok at inkbridge.io
Thu Sep 4 18:27:16 UTC 2025
On Sep 3, 2025, at 5:54 PM, Murali Krishnamoorthy <hibkmurali at gmail.com> wrote:
> I am using a https api in rest module with mutual tls enabled. The
> freeradius 3.2.8 gives me an error message that the peer certificate is not
> valid. However, I am able to use the same certificates with the same url to
> make the tls connection. What could be the problem here?
>
> ---
> With "check_cert = no", the rest api is able to make the mtls connection.
> But I would like to also have the server certificate validation enabled.
> ...
> *(0) rest_auth_failure_log: ERROR: Request failed: 60 - SSL peer
> certificate or SSH remote key was not OK*
Hmm... unfortunately, that error is coming from curl. The REST module just uses the curl APIs to do the bulk of the work.
My guess here that you don't have mods-available/rest configured with the right CA, key, etc
> ------
> Using curl from the same container:
> # curl -v https://auth.feature-devops.qa.xcloudiq.com:8443/auth/log-event \
>> --cert /etc/certs/client.pem \
>> --key /etc/certs/client.key \
>> --cacert /etc/certs/craas-ca.pem \
Are those the same files used in the "rest" module configuration?
>> --data '{"authResult": "SUCCESS", "message": "test"}' \
>> -H "Content-Type: application/json"
> ...
> -----
> Using openssl from the same container
i.e. lots and lots of test output from things which aren't relevant. But the debug output of FreeRADIUS has been mangled.
This is exactly the opposite of what the documentation says to do.
http://wiki.freeradius.org/list-help
Alan DeKok.
More information about the Freeradius-Users
mailing list