Freeradius with lets encrypt certificate

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Freeradius with lets encrypt certificate

André
freeradius cloned from github:
https://github.com/FreeRADIUS/freeradius-server

Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: error:1414C086:SSL
routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable
to get issuer certificate
Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
Tue Dec 29 14:31:40 2020:
/usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
failed for module "eap.ttls"

I'm using a let's encrypt certificate , but I'm getting this error message.

What should the files I should be using for the cert?

Best regards,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius with lets encrypt certificate

Michael Schwartzkopff-3
On 29.12.20 17:23, André wrote:

> freeradius cloned from github:
> https://github.com/FreeRADIUS/freeradius-server
>
> Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: error:1414C086:SSL
> routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable
> to get issuer certificate
> Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
> Tue Dec 29 14:31:40 2020:
> /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
> failed for module "eap.ttls"
>
> I'm using a let's encrypt certificate , but I'm getting this error message.
>
> What should the files I should be using for the cert?
>
> Best regards,
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

hi,


It seems that you do not have installed the CA of Let's encrypt.


what is the output of freeradius -X


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Freeradius with lets encrypt certificate

André
In attachment.



On Tue, Dec 29, 2020 at 4:36 PM Michael Schwartzkopff <[hidden email]> wrote:

> On 29.12.20 17:23, André wrote:
> > freeradius cloned from github:
> > https://github.com/FreeRADIUS/freeradius-server
> >
> > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain:
> error:1414C086:SSL
> > routines:ssl_build_cert_chain:certificate verify failed:Verify
> error:unable
> > to get issuer certificate
> > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
> > Tue Dec 29 14:31:40 2020:
> > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
> > failed for module "eap.ttls"
> >
> > I'm using a let's encrypt certificate , but I'm getting this error
> message.
> >
> > What should the files I should be using for the cert?
> >
> > Best regards,
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> hi,
>
>
> It seems that you do not have installed the CA of Let's encrypt.
>
>
> what is the output of freeradius -X
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius_git_output_X.txt (49K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Freeradius with lets encrypt certificate

André
Correction of the method of extraction as according to the wiki.

in attachment

Thank you

On Tue, Dec 29, 2020 at 4:45 PM André <[hidden email]> wrote:

> In attachment.
>
>
>
> On Tue, Dec 29, 2020 at 4:36 PM Michael Schwartzkopff <[hidden email]> wrote:
>
>> On 29.12.20 17:23, André wrote:
>> > freeradius cloned from github:
>> > https://github.com/FreeRADIUS/freeradius-server
>> >
>> > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain:
>> error:1414C086:SSL
>> > routines:ssl_build_cert_chain:certificate verify failed:Verify
>> error:unable
>> > to get issuer certificate
>> > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
>> > Tue Dec 29 14:31:40 2020:
>> > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
>> > failed for module "eap.ttls"
>> >
>> > I'm using a let's encrypt certificate , but I'm getting this error
>> message.
>> >
>> > What should the files I should be using for the cert?
>> >
>> > Best regards,
>> > -
>> > List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>> hi,
>>
>>
>> It seems that you do not have installed the CA of Let's encrypt.
>>
>>
>> what is the output of freeradius -X
>>
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

debugfile (49K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Freeradius with lets encrypt certificate

André
In reply to this post by André
Hello,

Problem solved by using openssl verify for debug and this link:
https://stackoverflow.com/questions/50803160/unable-to-openssl-verify-letsencrypt-certificate
And downloading the correct CA
and *ADDING* this CA https://www.identrust.com/dst-root-ca-x3 to a file
ca_file = file

to the mods-enable/eap # tls-config tls-common {

Thank you all for your help.

Basically it looks like the rootCA for let's encrypt changed.

Best regards,
Good 2021 year to all.

On Tue, Dec 29, 2020 at 7:47 PM Mark Elkins <[hidden email]> wrote:

> No idea if this will help but...
>
> I just had a very similar issue with Exim... my mail system. I was using
> the wrong (old) intermediate certificate - which has worked for years.
>
> I use 'dehydrated' to obtain and renew my Let's Encrypt certs. They have
> just stopped cross signing - and that triggered my issue - at 2am on the
> 25th Dec.
>
> EXIM requires the current cert, an intermediate, as well as what's in
> /usr/share/ca-certificates/mozilla (they use/are "ISRG_Root_X1.crt")...
> "dehydrated" has a file in the 'cert' directory called "fullchain.pem" Look
> at the second Certificate it contains - the new intermediate.
>
> The intermediate is no longer....
>
> -----BEGIN CERTIFICATE-----
> MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
> ..... cut ....
> PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
> KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
> -----END CERTIFICATE-----
>
> but (in full)
>
> -----BEGIN CERTIFICATE-----
> MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
> MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
> DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
> MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
> AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
> jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
> Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
> U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
> gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
> /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
> oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
> BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
> ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
> p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
> AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
> Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
> LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
> r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
> AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
> ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
> S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
> qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
> O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
> UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
> -----END CERTIFICATE-----
>
> Maybe your problem - otherwise please simply delete this email and ignore
> me.
>
>
> On 12/29/20 6:23 PM, André wrote:
>
> freeradius cloned from github:https://github.com/FreeRADIUS/freeradius-server
>
> Tue Dec 29 14:31:40 2020: tls - Failed verifying chain: error:1414C086:SSL
> routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable
> to get issuer certificate
> Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
> Tue Dec 29 14:31:40 2020:
> /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
> failed for module "eap.ttls"
>
> I'm using a let's encrypt certificate , but I'm getting this error message.
>
> What should the files I should be using for the cert?
>
> Best regards,
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> [hidden email]       Tel: +27.826010496 <+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> [image: Posix Systems][image: VCARD for MJ Elkins]
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

QR-MJElkins.png (2K) Download Attachment