Hi Imtiyaz

On 19.01.21, 17:34, "Imtiyaz Mohammad" <imtiyaz@arista.com> wrote:
    In my setup, I am trying to verify the working of CRLCheck option in the tls config block of radsecproxy. I currently have a CACertificateFile statement in the radsecproxy config that is
     pointing to a ca.pem. I created a CRL using the ca.pem and ca.cnf and issued a SIGHUP to radsecproxy only to find the following error message:-

    Jan 18 11:31:56 2021: verify error: num=3:unable to get certificate CRL:depth=0:/C=FR/ST=Radius/O=Example Inc./CN=127.0.0.1/emailAddress=admin@example.org <http://127.0.0.1/emailAddress=admin@example.org>
     Jan 18 11:31:56 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

    Looked like radsecproxy tried to pick up the CRL file but it could not find it where it was expecting it. Hence I removed
     the CACertificateFile option from the TLS block of the config file and added CACertificatePath option that points to the directory that has the CA and CRL files and now I am getting this error. What am I missing here ?

Most likely, you are missing the hash-symlinks (symbolic links named by the hash values linking to the certificate file), typically created with 'openssl rehash' or 'c_rehash'.

Regards,
Fabian

--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Phone +41 44 268 15 30, direct +41 44 268 15 39