Freeradius with lets encrypt certificate
Locked
Freeradius with lets encrypt certificate
 
|
Re: Freeradius with lets encrypt certificate
|
|
On 29.12.20 17:23, André wrote:
> freeradius cloned from github: > https://github.com/FreeRADIUS/freeradius-server > > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: error:1414C086:SSL > routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable > to get issuer certificate > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context > Tue Dec 29 14:31:40 2020: > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation > failed for module "eap.ttls" > > I'm using a let's encrypt certificate , but I'm getting this error message. > > What should the files I should be using for the cert? > > Best regards, > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hi, It seems that you do not have installed the CA of Let's encrypt. what is the output of freeradius -X Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
signature.asc (235 bytes)
Re: Freeradius with lets encrypt certificate
|
|
In attachment.
On Tue, Dec 29, 2020 at 4:36 PM Michael Schwartzkopff <[hidden email]> wrote: > On 29.12.20 17:23, André wrote: > > freeradius cloned from github: > > https://github.com/FreeRADIUS/freeradius-server > > > > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: > error:1414C086:SSL > > routines:ssl_build_cert_chain:certificate verify failed:Verify > error:unable > > to get issuer certificate > > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context > > Tue Dec 29 14:31:40 2020: > > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation > > failed for module "eap.ttls" > > > > I'm using a let's encrypt certificate , but I'm getting this error > message. > > > > What should the files I should be using for the cert? > > > > Best regards, > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > hi, > > > It seems that you do not have installed the CA of Let's encrypt. > > > what is the output of freeradius -X > > > Mit freundlichen Grüßen, > > -- > > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Re: Freeradius with lets encrypt certificate
|
|
Correction of the method of extraction as according to the wiki.
in attachment Thank you On Tue, Dec 29, 2020 at 4:45 PM André <[hidden email]> wrote: > In attachment. > > > > On Tue, Dec 29, 2020 at 4:36 PM Michael Schwartzkopff <[hidden email]> wrote: > >> On 29.12.20 17:23, André wrote: >> > freeradius cloned from github: >> > https://github.com/FreeRADIUS/freeradius-server >> > >> > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: >> error:1414C086:SSL >> > routines:ssl_build_cert_chain:certificate verify failed:Verify >> error:unable >> > to get issuer certificate >> > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context >> > Tue Dec 29 14:31:40 2020: >> > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation >> > failed for module "eap.ttls" >> > >> > I'm using a let's encrypt certificate , but I'm getting this error >> message. >> > >> > What should the files I should be using for the cert? >> > >> > Best regards, >> > - >> > List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> hi, >> >> >> It seems that you do not have installed the CA of Let's encrypt. >> >> >> what is the output of freeradius -X >> >> >> Mit freundlichen Grüßen, >> >> -- >> >> [*] sys4 AG >> >> https://sys4.de, +49 (89) 30 90 46 64 >> Schleißheimer Straße 26/MG,80333 München >> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >> Aufsichtsratsvorsitzender: Florian Kirstein >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Re: Freeradius with lets encrypt certificate
|
|
In reply to this post by André
Hello,
Problem solved by using openssl verify for debug and this link: https://stackoverflow.com/questions/50803160/unable-to-openssl-verify-letsencrypt-certificate And downloading the correct CA and *ADDING* this CA https://www.identrust.com/dst-root-ca-x3 to a file ca_file = file to the mods-enable/eap # tls-config tls-common { Thank you all for your help. Basically it looks like the rootCA for let's encrypt changed. Best regards, Good 2021 year to all. On Tue, Dec 29, 2020 at 7:47 PM Mark Elkins <[hidden email]> wrote: > No idea if this will help but... > > I just had a very similar issue with Exim... my mail system. I was using > the wrong (old) intermediate certificate - which has worked for years. > > I use 'dehydrated' to obtain and renew my Let's Encrypt certs. They have > just stopped cross signing - and that triggered my issue - at 2am on the > 25th Dec. > > EXIM requires the current cert, an intermediate, as well as what's in > /usr/share/ca-certificates/mozilla (they use/are "ISRG_Root_X1.crt")... > "dehydrated" has a file in the 'cert' directory called "fullchain.pem" Look > at the second Certificate it contains - the new intermediate. > > The intermediate is no longer.... > > -----BEGIN CERTIFICATE----- > MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ > ..... cut .... > PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 > KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== > -----END CERTIFICATE----- > > but (in full) > > -----BEGIN CERTIFICATE----- > MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ > MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT > DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow > MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT > AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs > jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp > Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB > U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 > gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel > /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R > oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E > BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p > ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE > p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE > AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu > Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 > LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf > r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B > AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH > ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 > S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL > qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p > O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw > UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== > -----END CERTIFICATE----- > > Maybe your problem - otherwise please simply delete this email and ignore > me. > > > On 12/29/20 6:23 PM, André wrote: > > freeradius cloned from github:https://github.com/FreeRADIUS/freeradius-server > > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: error:1414C086:SSL > routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable > to get issuer certificate > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context > Tue Dec 29 14:31:40 2020: > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation > failed for module "eap.ttls" > > I'm using a let's encrypt certificate , but I'm getting this error message. > > What should the files I should be using for the cert? > > Best regards, > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > > Mark James ELKINS - Posix Systems - (South) Africa > [hidden email] Tel: +27.826010496 <+27826010496> > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > [image: Posix Systems][image: VCARD for MJ Elkins] > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
| Free forum by Nabble | Edit this page |