Project

General

Profile

Actions

Feature #10908

open

FreeRADIUS server certificate not using full CA chain

Added by Viktor Gurov about 1 year ago. Updated about 1 year ago.

Status:
Feedback
Priority:
Normal
Category:
FreeRADIUS
Target version:
-
Start date:
09/17/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

https://forum.netgate.com/topic/153316/freeradius-acme-built-in-cert-manager-workarounds-with-intermediate-certificate:

Recently I was facing an issue with Freeradius using the built-in cert manager which certificates are manage by the ACME package.
The error was quite non understandable in debug mode:

eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied

For your information, I'm using freeradius for WP2 Enterprise Authentication over NAS.
With phones everything is fine (Android or iOS).
But that error occurred with Windows OS and sometimes with MacOS.

After few hours of troubleshooting, re-reading freeradius documentations (TLS Certificate part), it appears the client machine requires in addition the intermediate certificate one for the authentication when we are using a Let's Encrypt certificate.

The problem is the ACME store only the normal generated/renewed certificate (including the CA one) but not the fullchain one.

My workarounds are :

Copy/paste the full chain certificate into the cert manager and reconfigure freeradius to use it
Or, automating at renewal with the following command:

cp /tmp/acme/yourdomain/yourdomain/fullchain.cer /usr/local/etc/raddb/certs/server_cert.pem

So, my questions are

What would be the best way to apply that?
Enhancing the ACME package to detect the usage in freeradius and performing the copy operation?
Adding a way into the ACME package that add also the fullchain certificate into the built-in cert manager at renewal?

Actions #1

Updated by Viktor Gurov about 1 year ago

  • Category changed from ACME to FreeRADIUS
Actions #2

Updated by Jim Pingle about 1 year ago

  • Subject changed from ACME fullchain to FreeRADIUS server certificate not using full CA chain
  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho about 1 year ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions

Also available in: Atom PDF