Freeradius with Docker - got Unknown CA error

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Freeradius with Docker - got Unknown CA error

Holly Sun
Hi,

I have a working radiusd.conf which can do EAP-TLS authentication. I am
able to run the FreeRadius server in Ubuntu directly. Now I am trying to
make the FreeRadius server running in Docker and upload it to GCP. However,
with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow
CA".

In my radiusd.conf, I have something like:
modules {
        eap {
                ...
                tls {
                        certdir = certs
                        private_key_file = ${certdir}/server.key
                        certificate_file = ${certdir}/server.pem
                        ca_file = ${certdir}/ca.pem
                        cipher_list = "HIGH"
                        ecdh_curve = "prime256v1"
                }
        }
}

In my Dockerfile, I first have something like:
WORKDIR /radius
COPY radiusd.conf /radius
COPY certs/ /radius/certs

So the working directory has radiusd.conf and certs/ directory containing
all the certificates.
With eapol_test given the same ca.pem as input, I got the below errors from
FreeRadius output. I got the same errors even if I change the Docker file
to the absolute path of FreeRadius:
COPY radiusd.conf /etc/freeradius/3.0/
COPY certs/ /etc/freeradius/3.0/certs/

Output:

(0) Received Access-Request Id 0 from 104.132.1.66:42257 to 172.17.0.3:1812
length 134
(0)   User-Name = "myusername"
(0)   NAS-IP-Address = 127.0.0.1
(0)   Calling-Station-Id = "02-00-00-00-00-01"
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Connect-Info = "CONNECT 11Mbps 802.11b"
(0)   EAP-Message = 0x02ea000f016d79757365726e616d65
(0)   Message-Authenticator = 0x064274c68e846bd643f10ee42c9a9f58
(0) # Executing section authorize from file ./radiusd.conf
(0)   authorize {
(0) eap: Peer sent EAP Response (code 2) ID 234 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file ./radiusd.conf
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 235 length 6
(0) eap: EAP session adding &reply:State = 0x3c1cb3283cf7be5d
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) Sent Access-Challenge Id 0 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(0)   EAP-Message = 0x01eb00060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x3c1cb3283cf7be5deafe5da3e677933c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 104.132.1.66:42257 to 172.17.0.3:1812
length 333
(1)   User-Name = "myusername"
(1)   NAS-IP-Address = 127.0.0.1
(1)   Calling-Station-Id = "02-00-00-00-00-01"
(1)   Framed-MTU = 1400
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Connect-Info = "CONNECT 11Mbps 802.11b"
(1)   EAP-Message =
0x02eb00c40d0016030100b9010000b50303651de82eea44d48516e3c1e705e1c3913aa0b4a3f6b029b7affcccdd7fd8d9f6000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(1)   State = 0x3c1cb3283cf7be5deafe5da3e677933c
(1)   Message-Authenticator = 0x0016f403f73e4237308bb89e1eb39d88
(1) session-state: No cached attributes
(1) # Executing section authorize from file ./radiusd.conf
(1)   authorize {
(1) eap: Peer sent EAP Response (code 2) ID 235 length 196
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file ./radiusd.conf
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x3c1cb3283cf7be5d
(1) eap: Finished EAP session with state 0x3c1cb3283cf7be5d
(1) eap: Previous EAP request found for state 0x3c1cb3283cf7be5d, released
from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (190 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (190 bytes), does
not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3  [length 00b9]
(1) eap_tls: TLS_accept: SSLv3/TLS read client hello
(1) eap_tls: >>> send TLS 1.2  [length 0035]
(1) eap_tls: TLS_accept: SSLv3/TLS write server hello
(1) eap_tls: >>> send TLS 1.2  [length 0707]
(1) eap_tls: TLS_accept: SSLv3/TLS write certificate
(1) eap_tls: >>> send TLS 1.2  [length 00af]
(1) eap_tls: TLS_accept: SSLv3/TLS write certificate request
(1) eap_tls: >>> send TLS 1.2  [length 0004]
(1) eap_tls: TLS_accept: SSLv3/TLS write server done
(1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done
(1) eap_tls: TLS - In Handshake Phase
(1) eap_tls: TLS - got 2051 bytes of data
(1) eap_tls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 236 length 1024
(1) eap: EAP session adding &reply:State = 0x3c1cb3283df0be5d
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) Sent Access-Challenge Id 1 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(1)   EAP-Message =
0x01ec04000dc0000008031603030035020000310303cce50e6fc3074f99584c4bbd99b4b26f5eddf075568fd37fd1954ad7a144c66f00009d000009ff010001000017000016030307070b00070300070000033e3082033a30820222020107300d06092a864886f70d01010b05003071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393231303133365a170d3138313232393231303133365a3055310b30090603550406130255533116301406035504080c0d4d61737361636875736574747331163014060355040a0c0d526164697573205365727665723116301406035504030c0d5261646975732053657276657230820122300d06092a864886f70d01010105000382010f003082010a02820101
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x3c1cb3283df0be5deafe5da3e677933c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 104.132.1.66:42257 to 172.17.0.3:1812
length 143
(2)   User-Name = "myusername"
(2)   NAS-IP-Address = 127.0.0.1
(2)   Calling-Station-Id = "02-00-00-00-00-01"
(2)   Framed-MTU = 1400
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Connect-Info = "CONNECT 11Mbps 802.11b"
(2)   EAP-Message = 0x02ec00060d00
(2)   State = 0x3c1cb3283df0be5deafe5da3e677933c
(2)   Message-Authenticator = 0xfcf988c59d274c385b0cb87554a6fb82
(2) session-state: No cached attributes
(2) # Executing section authorize from file ./radiusd.conf
(2)   authorize {
(2) eap: Peer sent EAP Response (code 2) ID 236 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2)     [eap] = updated
(2)   } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file ./radiusd.conf
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x3c1cb3283df0be5d
(2) eap: Finished EAP session with state 0x3c1cb3283df0be5d
(2) eap: Previous EAP request found for state 0x3c1cb3283df0be5d, released
from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: Peer ACKed our handshake fragment
(2) eap_tls: [eaptls verify] = request
(2) eap_tls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 237 length 1024
(2) eap: EAP session adding &reply:State = 0x3c1cb3283ef1be5d
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) Sent Access-Challenge Id 2 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(2)   EAP-Message =
0x01ed04000dc00000080374746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393136353033385a170d3139303131383136353033385a3071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f64205465737420434120446563203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100a510110045315159b7107ba22629b7a59c16da413ed72112277d4498e02a6f7456d63444de8038dd72cc2094cc0c29b735d05004292b0721dec7b6c781ef06c9703069077776c7984927763fb06a77d11cfeb7fe080edad8d52d471f9c9c125a4cd0a9a35d0d9ada21a3ccaf74a6fde206b7a9c7533cadd02669d58e5aed57e3993851b296199134b8f355
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x3c1cb3283ef1be5deafe5da3e677933c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 104.132.1.66:42257 to 172.17.0.3:1812
length 143
(3)   User-Name = "myusername"
(3)   NAS-IP-Address = 127.0.0.1
(3)   Calling-Station-Id = "02-00-00-00-00-01"
(3)   Framed-MTU = 1400
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Connect-Info = "CONNECT 11Mbps 802.11b"
(3)   EAP-Message = 0x02ed00060d00
(3)   State = 0x3c1cb3283ef1be5deafe5da3e677933c
(3)   Message-Authenticator = 0xcbc352d3a078978d17e6fa7616a196e4
(3) session-state: No cached attributes
(3) # Executing section authorize from file ./radiusd.conf
(3)   authorize {
(3) eap: Peer sent EAP Response (code 2) ID 237 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3)     [eap] = updated
(3)   } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file ./radiusd.conf
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x3c1cb3283ef1be5d
(3) eap: Finished EAP session with state 0x3c1cb3283ef1be5d
(3) eap: Previous EAP request found for state 0x3c1cb3283ef1be5d, released
from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: Continuing EAP-TLS
(3) eap_tls: Peer ACKed our handshake fragment
(3) eap_tls: [eaptls verify] = request
(3) eap_tls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 238 length 33
(3) eap: EAP session adding &reply:State = 0x3c1cb3283ff2be5d
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) Sent Access-Challenge Id 3 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(3)   EAP-Message =
0x01ee00210d8000000803737420434120446563203230313816030300040e000000
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x3c1cb3283ff2be5deafe5da3e677933c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 104.132.1.66:42257 to 172.17.0.3:1812
length 150
(4)   User-Name = "myusername"
(4)   NAS-IP-Address = 127.0.0.1
(4)   Calling-Station-Id = "02-00-00-00-00-01"
(4)   Framed-MTU = 1400
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Connect-Info = "CONNECT 11Mbps 802.11b"
(4)   EAP-Message = 0x02ee000d0d0015030300020230
(4)   State = 0x3c1cb3283ff2be5deafe5da3e677933c
(4)   Message-Authenticator = 0x6a8e3ca3d60a68499ed73d0b8dd61b82
(4) session-state: No cached attributes
(4) # Executing section authorize from file ./radiusd.conf
(4)   authorize {
(4) eap: Peer sent EAP Response (code 2) ID 238 length 13
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4)     [eap] = updated
(4)   } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file ./radiusd.conf
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x3c1cb3283ff2be5d
(4) eap: Finished EAP session with state 0x3c1cb3283ff2be5d
(4) eap: Previous EAP request found for state 0x3c1cb3283ff2be5d, released
from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: [eaptls verify] = ok
(4) eap_tls: Done initial handshake
(4) eap_tls: <<< recv TLS 1.2  [length 0002]
(4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
(4) eap_tls: TLS_accept: Need to read more data: error
(4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
(4) eap_tls: TLS - In Handshake Phase
(4) eap_tls: TLS - Application data.
(4) eap_tls: ERROR: TLS failed during operation
(4) eap_tls: ERROR: [eaptls process] = fail
(4) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed
(4) eap: Sending EAP Failure (code 4) ID 238 length 4
(4) eap: Failed in EAP select
(4)     [eap] = invalid
(4)   } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed response
(4) Sent Access-Reject Id 4 from 172.17.0.3:1812 to 104.132.1.66:42257
length 44
(4)   EAP-Message = 0x04ee0004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +61
(1) Cleaning up request packet ID 1 with timestamp +61
(2) Cleaning up request packet ID 2 with timestamp +61
(3) Cleaning up request packet ID 3 with timestamp +61
(4) Cleaning up request packet ID 4 with timestamp +61
Ready to process requests


Any ideas? Thanks in advance!

Best,
Holly
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with Docker - got Unknown CA error

Alan DeKok-2
On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <[hidden email]> wrote:
>
> I have a working radiusd.conf which can do EAP-TLS authentication. I am
> able to run the FreeRadius server in Ubuntu directly. Now I am trying to
> make the FreeRadius server running in Docker and upload it to GCP. However,
> with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow
> CA".
>
> In my radiusd.conf, I have something like:

  That's all standard in the default configuration files.

> In my Dockerfile, I first have something like:
> WORKDIR /radius
> COPY radiusd.conf /radius
> COPY certs/ /radius/certs

  That should work.  See also:

https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker

  There are pre-built docker scripts for v3, and for the major Linux distributions.

> (4) eap_tls: <<< recv TLS 1.2  [length 0002]
> (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
> (4) eap_tls: TLS_accept: Need to read more data: error
> (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca

  That's a message from the supplicant.  You configured the CA on FreeRADIUS, but not on the supplicant.

  Add the CA to the supplicant and it should work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with Docker - got Unknown CA error

Holly Sun
Thanks Alan for the quick response!

I am using eapol_test to send the request with the ca.pem, but still got
the Unknown CA error:
$ eapol_test -c eap-tls.conf -a 34.94.22.45 -s myRandomPass -o eap-tls.out

In my eap-tls.conf:
network={
        key_mgmt=WPA-EAP
        identity="myusername"
        proto=WPA2
        eap=TLS
        ca_cert="ca.pem" // The same ca.pem in Free Radius
        private_key="client.p12"
        private_key_passwd="clientpassword"
}

Thank you!

On Thu, Aug 8, 2019 at 5:30 PM Alan DeKok <[hidden email]> wrote:

> On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <[hidden email]> wrote:
> >
> > I have a working radiusd.conf which can do EAP-TLS authentication. I am
> > able to run the FreeRadius server in Ubuntu directly. Now I am trying to
> > make the FreeRadius server running in Docker and upload it to GCP.
> However,
> > with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow
> > CA".
> >
> > In my radiusd.conf, I have something like:
>
>   That's all standard in the default configuration files.
>
> > In my Dockerfile, I first have something like:
> > WORKDIR /radius
> > COPY radiusd.conf /radius
> > COPY certs/ /radius/certs
>
>   That should work.  See also:
>
> https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker
>
>   There are pre-built docker scripts for v3, and for the major Linux
> distributions.
>
> > (4) eap_tls: <<< recv TLS 1.2  [length 0002]
> > (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
> > (4) eap_tls: TLS_accept: Need to read more data: error
> > (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
> > routines:ssl3_read_bytes:tlsv1 alert unknown ca
>
>   That's a message from the supplicant.  You configured the CA on
> FreeRADIUS, but not on the supplicant.
>
>   Add the CA to the supplicant and it should work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with Docker - got Unknown CA error

Alan DeKok-2
On Aug 8, 2019, at 8:51 PM, Jiuyu Sun <[hidden email]> wrote:
>
> Thanks Alan for the quick response!
>
> I am using eapol_test to send the request with the ca.pem, but still got
> the Unknown CA error:

  Then the client certificate is signed with another CA cert.

  OR the server certificate is signed with another CA cert.

  The certificates that come with the server work.  The default configuration works.  So... what changed?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with Docker - got Unknown CA error

Holly Sun
Thanks Alan!

I think both the server and client certificate should match the same CA.
Using the same set of certificate, I can run the server directly in Ubuntu.
So I doubt the issue is in my Dockerfile.

In my Dockerfile:

FROM ubuntu:18.04
RUN apt-get update &&\
    apt-get install -y freeradius
RUN adduser radius
WORKDIR /radius
EXPOSE 1812/udp 1813/udp
COPY radiusd.conf /radius/
COPY certs/* /radius/certs/
CMD ["/usr/sbin/freeradius", "-d", ".","-f","-x","-lstdout"]

I copied all the certificates under the current certs/ directory to
/radius/certs/ in the docker environment. In the docker environment, there
are still certificate under /etc/freeradius/3.0/certs, will FreeRadius use
those certificates instead?

Thanks a lot!

On Thu, Aug 8, 2019 at 6:10 PM Alan DeKok <[hidden email]> wrote:

> On Aug 8, 2019, at 8:51 PM, Jiuyu Sun <[hidden email]> wrote:
> >
> > Thanks Alan for the quick response!
> >
> > I am using eapol_test to send the request with the ca.pem, but still got
> > the Unknown CA error:
>
>   Then the client certificate is signed with another CA cert.
>
>   OR the server certificate is signed with another CA cert.
>
>   The certificates that come with the server work.  The default
> configuration works.  So... what changed?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with Docker - got Unknown CA error

Matthew Newton-3
On Thu, 2019-08-08 at 18:46 -0700, Jiuyu Sun wrote:
> Using the same set of certificate, I can run the server directly in
> Ubuntu.
> So I doubt the issue is in my Dockerfile.

If those certs work in Ubuntu, but don't in Docker, then that really
does point to a problem in your Dockerfile.

> In my Dockerfile:
>
> FROM ubuntu:18.04
> RUN apt-get update &&\
>     apt-get install -y freeradius
> RUN adduser radius
> WORKDIR /radius
> EXPOSE 1812/udp 1813/udp
> COPY radiusd.conf /radius/
> COPY certs/* /radius/certs/
> CMD ["/usr/sbin/freeradius", "-d", ".","-f","-x","-lstdout"]
>
> I copied all the certificates under the current certs/ directory to
> /radius/certs/ in the docker environment. In the docker environment,
> there are still certificate under /etc/freeradius/3.0/certs, will
> FreeRadius use those certificates instead?

That's where the default configuration says to read them from. If you
don't change the eap config, it will still read them from there. Read
the debug output to see what files it is loading. (Or you could paste
the full debug output to the list, as mentioned here pretty much every
day.)

Rather than making up your own Dockerfile, why not use the official
ones?

https://hub.docker.com/r/freeradius/freeradius-server

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with Docker - got Unknown CA error

Holly Sun
Problem solved! The debug output shows that it was referring to a different
set of certificates.
Thanks both, Alan and Matthew!

On Fri, Aug 9, 2019 at 4:07 AM Matthew Newton <[hidden email]> wrote:

> On Thu, 2019-08-08 at 18:46 -0700, Jiuyu Sun wrote:
> > Using the same set of certificate, I can run the server directly in
> > Ubuntu.
> > So I doubt the issue is in my Dockerfile.
>
> If those certs work in Ubuntu, but don't in Docker, then that really
> does point to a problem in your Dockerfile.
>
> > In my Dockerfile:
> >
> > FROM ubuntu:18.04
> > RUN apt-get update &&\
> >     apt-get install -y freeradius
> > RUN adduser radius
> > WORKDIR /radius
> > EXPOSE 1812/udp 1813/udp
> > COPY radiusd.conf /radius/
> > COPY certs/* /radius/certs/
> > CMD ["/usr/sbin/freeradius", "-d", ".","-f","-x","-lstdout"]
> >
> > I copied all the certificates under the current certs/ directory to
> > /radius/certs/ in the docker environment. In the docker environment,
> > there are still certificate under /etc/freeradius/3.0/certs, will
> > FreeRadius use those certificates instead?
>
> That's where the default configuration says to read them from. If you
> don't change the eap config, it will still read them from there. Read
> the debug output to see what files it is loading. (Or you could paste
> the full debug output to the list, as mentioned here pretty much every
> day.)
>
> Rather than making up your own Dockerfile, why not use the official
> ones?
>
> https://hub.docker.com/r/freeradius/freeradius-server
>
> --
> Matthew
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html