Hi,
In my setup, I am trying to verify the working of *CRLCheck *option in the tls config block of radsecproxy. I currently have a CACertificateFile statement in the radsecproxy config that is pointing to a ca.pem. I created a CRL using the ca.pem and ca.cnf and issued a SIGHUP to radsecproxy only to find the following error message:-
Jan 18 11:31:56 2021: verify error: num=3:unable to get certificate CRL:depth=0:/C=FR/ST=Radius/O=Example Inc./CN= 127.0.0.1/emailAddress=admin@example.org Jan 18 11:31:56 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Looked like radsecproxy tried to pick up the CRL file but it could not find it where it was expecting it. Hence I removed the CACertificateFile option from the TLS block of the config file and added CACertificatePath option that points to the directory that has the CA and CRL files and now I am getting this error. What am I missing here ?
....Jan 19 08:05:36 2021: tlsconnect: connecting to 127.0.0.1 Jan 19 08:05:36 2021: connecttcphostlist: trying to open TCP connection to 127.0.0.1 port 2083 Jan 19 08:05:36 2021: Connection up Jan 19 08:05:36 2021: connecttcphostlist: TCP connection to 127.0.0.1 port 2083 up Jan 19 08:05:36 2021: verify error: num=19:self signed certificate in certificate chain:depth=1:/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority Jan 19 08:05:36 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Jan 19 08:05:36 2021: tlsconnect: SSL connect to 127.0.0.1 failed Jan 19 08:05:36 2021: Next connection attempt to 127.0.0.1 in 60s ....Jan 19 08:06:36 2021: tlsconnect: connecting to 127.0.0.1
Thanks Imtiyaz
Hi Imtiyaz
On 19.01.21, 17:34, "Imtiyaz Mohammad" imtiyaz@arista.com wrote: In my setup, I am trying to verify the working of CRLCheck option in the tls config block of radsecproxy. I currently have a CACertificateFile statement in the radsecproxy config that is pointing to a ca.pem. I created a CRL using the ca.pem and ca.cnf and issued a SIGHUP to radsecproxy only to find the following error message:-
Jan 18 11:31:56 2021: verify error: num=3:unable to get certificate CRL:depth=0:/C=FR/ST=Radius/O=Example Inc./CN=127.0.0.1/emailAddress=admin@example.org http://127.0.0.1/emailAddress=admin@example.org Jan 18 11:31:56 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Looked like radsecproxy tried to pick up the CRL file but it could not find it where it was expecting it. Hence I removed the CACertificateFile option from the TLS block of the config file and added CACertificatePath option that points to the directory that has the CA and CRL files and now I am getting this error. What am I missing here ?
Most likely, you are missing the hash-symlinks (symbolic links named by the hash values linking to the certificate file), typically created with 'openssl rehash' or 'c_rehash'.
Regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39
Hello Fabian,
Thanks, that does the trick.
- Imtiyaz
On Wed, Jan 20, 2021 at 9:13 PM Fabian Mauchle fabian.mauchle@switch.ch wrote:
Hi Imtiyaz
On 19.01.21, 17:34, "Imtiyaz Mohammad" imtiyaz@arista.com wrote: In my setup, I am trying to verify the working of CRLCheck option in the tls config block of radsecproxy. I currently have a CACertificateFile statement in the radsecproxy config that is pointing to a ca.pem. I created a CRL using the ca.pem and ca.cnf and issued a SIGHUP to radsecproxy only to find the following error message:-
Jan 18 11:31:56 2021: verify error: num=3:unable to get certificateCRL:depth=0:/C=FR/ST=Radius/O=Example Inc./CN= 127.0.0.1/emailAddress=admin@example.org < http://127.0.0.1/emailAddress=admin@example.org%3E Jan 18 11:31:56 2021: tlsconnect: SSL connect to 127.0.0.1 failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Looked like radsecproxy tried to pick up the CRL file but it could notfind it where it was expecting it. Hence I removed the CACertificateFile option from the TLS block of the config file and added CACertificatePath option that points to the directory that has the CA and CRL files and now I am getting this error. What am I missing here ?
Most likely, you are missing the hash-symlinks (symbolic links named by the hash values linking to the certificate file), typically created with 'openssl rehash' or 'c_rehash'.
Regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39
Thanks and Regards, Imtiyaz
-
Fabian Mauchle -
Imtiyaz Mohammad