5:33 p.m.
Hi,
In my setup, I am trying to verify the working of *CRLCheck *option in the
tls config block of radsecproxy. I currently have a CACertificateFile
statement in the radsecproxy config that is pointing to a ca.pem. I created
a CRL using the ca.pem and ca.cnf and issued a SIGHUP to radsecproxy only
to find the following error message:-
Jan 18 11:31:56 2021: verify error: num=3:unable to get certificate
CRL:depth=0:/C=FR/ST=Radius/O=Example Inc./CN=
127.0.0.1/emailAddress=admin(a)example.org Jan 18 11:31:56 2021: tlsconnect:
SSL connect to 127.0.0.1 failed: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
Looked like radsecproxy tried to pick up the CRL file but it could not find
it where it was expecting it. Hence I removed the CACertificateFile option
from the TLS block of the config file and added CACertificatePath option
that points to the directory that has the CA and CRL files and now I am
getting this error. What am I missing here ?
....Jan 19 08:05:36 2021: tlsconnect: connecting to 127.0.0.1
Jan 19 08:05:36 2021: connecttcphostlist: trying to open TCP connection to
127.0.0.1 port 2083
Jan 19 08:05:36 2021: Connection up
Jan 19 08:05:36 2021: connecttcphostlist: TCP connection to 127.0.0.1 port
2083 up
Jan 19 08:05:36 2021: verify error: num=19:self signed certificate in
certificate chain:depth=1:/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin(a)example.org/CN=Example Certificate Authority
Jan 19 08:05:36 2021: tlsconnect: SSL connect to 127.0.0.1 failed:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
failed
Jan 19 08:05:36 2021: tlsconnect: SSL connect to 127.0.0.1 failed
Jan 19 08:05:36 2021: Next connection attempt to 127.0.0.1 in 60s
....Jan 19 08:06:36 2021: tlsconnect: connecting to 127.0.0.1
Thanks
Imtiyaz