'Re: unable to get local issuer certificate'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: unable to get local issuer certificate
From:       Kostya Berger via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date:       2020-12-18 16:13:23
Message-ID: 1133704625.3535683.1608308003635 () mail ! yahoo ! com
[Download RAW message or body]

Seems the problem is with OpenBSD Freeradius/SSL configuration. 
I ended up running certs/bootstrap on the OpenBSD machine where Freeradius runs. THe \
resulting certificates work fine on a FreeBSD-based Freeradius server, but on OpenBSD \
I get this complaining about the "local issuer certificate".I just don't know what \
else I might check.

With kindest regards,
Kostya Berger
 
 

    On Thursday, 17 December 2020, 03:38:27 GMT+3, Kostya Berger via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:    
 Ok, checked the same with certificate created using the /etc/raddb/certs folder from \
the distribution downloaded from the Freeradius site. I WAS able to create the needed \
certs + keys + client.p12 bundle for Android phone -- so far so good :) But now the \
server returns the same error. So the problem was NOT in the certs/keys I supplied, \
but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that \
while FreeBSD uses OpenSSL and Freeradius works fine there. And why does it validate \
user certificate TWICE? Here it is in the log:........................... (5) \
eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile \
/etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename} (5) eap_tls: Executing: \
/usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}: \
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (5) eap_tls:    --> \
/tmp/radiusd/radiusd.client.UCCKLTa6 (5) eap_tls: Program returned code (0) and \
output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK' (5) eap_tls: Client certificate CN \
guest1 passed external validation (5) eap_tls: TLS - Creating attributes from \
certificate OIDs (5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += \
"0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3" (5) eap_tls:   \
TLS-Client-Cert-X509v3-Authority-Key-Identifier += \
"keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
 (5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client \
Authentication" (5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += \
"1.3.6.1.5.5.7.3.2" (5) eap_tls: Verifying client certificate: /usr/bin/openssl \
verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename} (5) eap_tls: \
Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt \
%{TLS-Client-Cert-Filename}: (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or \
directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', \
'r') 9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system \
lib:/usr/src/lib/libcrypto/bio/bss_file.c:257: unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''



With kindest regards,
Kostya Berger
 
 

    On Tuesday, 15 December 2020, 17:14:47 GMT+3, Kostya Berger via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:    
 Hello, thank you for your time and effort.
I've been successfully using Freeradius3 for some years now for EAP-TLS. But now I've \
moved config directory (as I've done successfully in the past several times) over to \
a new installation. It's OpenBSD 6.8 and LibreSSL 3.2.2. 

Again, the very SAME configuration (certs etc) have been successfully running on \
OpenBSD 6.6, but on 6.8 I'm getting SSL error "unable to get local issuer \
certificate".Complete piece of log output from $radiusd -X is attached. It's \
Freeradius 3.0.21. And the very SAME configuration directory (/etc/raddb) is used on \
another machine with Freeradius-3.0.21 successfully. What could be the reason for \
this strange error? Here is the error part: (5) eap_tls: Executing: /usr/bin/openssl \
verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}: (5) eap_tls: \
EXPAND %{TLS-Client-Cert-Filename} (5) eap_tls:    --> \
/tmp/radiusd/radiusd.client.UCCKLTa6 (5) eap_tls: Program returned code (0) and \
output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK' (5) eap_tls: Client certificate CN \
guest1 passed external validation (5) eap_tls: TLS - Creating attributes from \
certificate OIDs (5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += \
"0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3" (5) eap_tls:   \
TLS-Client-Cert-X509v3-Authority-Key-Identifier += \
"keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
 (5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client \
Authentication" (5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += \
"1.3.6.1.5.5.7.3.2" (5) eap_tls: Verifying client certificate: /usr/bin/openssl \
verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename} (5) eap_tls: \
Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt \
%{TLS-Client-Cert-Filename}: (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or \
directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', \
'r') 9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system \
lib:/usr/src/lib/libcrypto/bio/bss_file.c:257: unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
tls: Certificate CN (guest1) fails external verification!
....
Brief summary: /tmp/radiusd IS writable by _freeradius user -- I checked that \
explicitly by trying to write their by that user. Certificates ARE available in the \
certdir, which is clear from the string "eap_tls: Program returned code (0) and \
output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'". And in the full log attached here \
there appears message "unable to get local issuer certificate". All certificates were \
created by the same procedure... though I think I used easy-rsa instead of the \
Freeradius tools. Just don't remember that.

Thank you very much for your time!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic