Hi,

In my setup, I am trying to verify the working of CRLCheck option in the tls config block of radsecproxy. I currently have a CACertificateFile statement in the radsecproxy config that is pointing to a ca.pem. I created a CRL using the ca.pem and ca.cnf and issued a SIGHUP to radsecproxy only to find the following error message:-

Jan 18 11:31:56 2021: verify error: num=3:unable to get certificate CRL:depth=0:/C=FR/ST=Radius/O=Example Inc./CN=127.0.0.1/emailAddress=admin@example.org Jan 18 11:31:56 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Looked like radsecproxy tried to pick up the CRL file but it could not find it where it was expecting it. Hence I removed the CACertificateFile option from the TLS block of the config file and added CACertificatePath option that points to the directory that has the CA and CRL files and now I am getting this error. What am I missing here ?

....Jan 19 08:05:36 2021: tlsconnect: connecting to 127.0.0.1
Jan 19 08:05:36 2021: connecttcphostlist: trying to open TCP connection to 127.0.0.1 port 2083
Jan 19 08:05:36 2021: Connection up
Jan 19 08:05:36 2021: connecttcphostlist: TCP connection to 127.0.0.1 port 2083 up
Jan 19 08:05:36 2021: verify error: num=19:self signed certificate in certificate chain:depth=1:/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
Jan 19 08:05:36 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jan 19 08:05:36 2021: tlsconnect: SSL connect to 127.0.0.1 failed
Jan 19 08:05:36 2021: Next connection attempt to 127.0.0.1 in 60s
....Jan 19 08:06:36 2021: tlsconnect: connecting to 127.0.0.1

Thanks

Imtiyaz