[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: unknown CA when trying to authenticate
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-02-24 12:56:35
Message-ID: C5F46BE3-49A8-4387-BD5D-7432E31D2A7D () deployingradius ! com
[Download RAW message or body]

On Feb 24, 2021, at 3:00 AM, Carsten Schulze <carsten.schulze@leuphana.de> wrote:
> 
> I got the same problem after a Debian upgrade from 9 to 10 and it was not a client \
> problem! 
> Our CA: Root-CA - Intermediate CA - CA
> 
> The solution for me
> 
> //in mods-enabled/eap
> #ca_file = ${certdir}/ca-gen2.pem <- Dont use this - put your CAs into \
> certificate_file! certificate_file = ${certdir}/radius1w.company.de.pem <-Now: \
> Certificate - CA - Inter-CA - RootCA 
> Restart. Works!

  OpenSSL sometime changes how they do things internally, which means behavioural \
changes in TLS.  This is unfortunate.  We've had to add code to FreeRADIUS to tell \
OpenSSL "No, don't do what you want, do what we tell you to do".

  Generally, it's good to put all of the certificates into "certificate_file" as per \
the docs.  But it doesn't always work for everyone.

> Maybe this might help as well:
> http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/

  A good chunk of that is copied from my page, which is 10 years older.  And a lot \
isn't relevant.  But whatever.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]