Certificate validation in rest module fails

Murali Krishnamoorthy hibkmurali at gmail.com
Thu Sep 4 18:42:31 UTC 2025 

On Thu, Sep 4, 2025 at 11:28 AM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On Sep 3, 2025, at 5:54 PM, Murali Krishnamoorthy <hibkmurali at gmail.com>
> wrote:
> > I am using a https api in rest module with mutual tls enabled. The
> > freeradius 3.2.8 gives me an error message that the peer certificate is
> not
> > valid. However, I am able to use the same certificates with the same url
> to
> > make the tls connection. What could be the problem here?
> >
> > ---
> > With "check_cert = no", the rest api is able to make the mtls connection.
> > But I would like to also have the server certificate validation enabled.
> > ...
> > *(0) rest_auth_failure_log: ERROR: Request failed: 60 - SSL peer
> > certificate or SSH remote key was not OK*
>
>   Hmm... unfortunately, that error is coming from curl.  The REST module
> just uses the curl APIs to do the bulk of the work.
>
>   My guess here that you don't have mods-available/rest configured with
> the right CA, key, etc
>
> > ------
> > Using curl from the same container:
> > # curl -v
> https://auth.feature-devops.qa.xcloudiq.com:8443/auth/log-event \
> >>  --cert /etc/certs/client.pem  \
> >>  --key /etc/certs/client.key \
> >>  --cacert /etc/certs/craas-ca.pem \
>
>    Are those the same files used in the "rest" module configuration?
>

That's right. The example curl command used the same files used in the rest
configuration.

The rest config is below:
rest rest_auth_failure_log {
    post-auth{
        uri = "
https://auth.feature-devops.qa.xcloudiq.com:8443/auth/log-event"
        method = 'post'
        body = 'json'
        data = '{"Auth-Result": "FAILURE", "Message":"%{Reply-Message}",
"User-Name": "%{User-Name}", "NAS-Identifier": "%{NAS-Identifier}",
"NAS-Port-Type": "%{NAS-Port-Type}", "NAS-IP-Address": "%{NAS-IP-Address}",
"NAS-Port": "%{NAS-Port}", "NAS-Port-Id": "%{NAS-Port-Id}",
"Called-Station-Id": "%{Called-Station-Id}", "Calling-Station-Id":
"%{Calling-Station-Id}", "EAP-Message": "%{EAP-Message}"}'
        tls {


*ca_file = /etc/certs/craas-ca.pem            certificate_file =
/etc/certs/client.pem            private_key_file = /etc/certs/client.key*
            check_cert = yes # Enables verification of the server's
certificate.
            check_cert_cn = yes # to verify the server's hostname matches
the certificate.
        }
    }

Is there any external command I could use to verify what freeradius rest
module is doing to get better debug?


>
> >>  --data '{"authResult": "SUCCESS", "message": "test"}' \
> >>  -H "Content-Type: application/json"
> > ...
> > -----
> > Using openssl from the same container
>
>   i.e. lots and lots of test output from things which aren't relevant.
> But the debug output of FreeRADIUS has been mangled.
>
>   This is exactly the opposite of what the documentation says to do.
>
> http://wiki.freeradius.org/list-help
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list