[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed
Heikki Vatiainen
hvn at open.com.au
Thu Dec 15 04:56:37 CST 2011
On 12/14/2011 05:21 PM, Röver, Christian wrote:
> The posted logfile is the full trace 4 logging and the config I posted
> before is he complete config (I only cut the descriptions and the lines that
> were commented out).
Ok.
> The certificates are all valid and have been verified by the toplevel-ca.
> Maybe it is useful to know, that we have our own CA.
> Our CA is the lowest in a row of three CA's. The CA-files are all stored in
> the CAPath-folder together with our own CA's chain file.
You could try TLS_CAFile instead of TLS_CAPath. Please see below for more.
> The error message tells about problems with the verification of a
> certificate. Is there any need to use the CA-files directly instead of the
> CAPath?
If you use CAPath, the certificate files are accessed by CA subject name
hash. In most cases this means there's a symbolic link like this:
lrwxrwxrwx 1 root root 20 2011-10-13 16:42 ddc328ff.0 ->
Thawte_Server_CA.pem
See this for how to use command c_rehash to create the links:
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
Instead of using TLS_CAPath you can put all CA certifcates in one file
and point TLS_CAFile to that file. That might be easier to maintain the
symbolic links for all required certificates.
> Another question is: we use eaptls for the communication with our ldap
> server (this works!), but we have to use TLS for radsec with the toplevel
> server. Might there be a problem?
Sorry, I did not quite understand this. You can use SSL or TLS for LDAP
connections from Radiator without worries with RadSec.
I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and
TTLS inner authentication via RADIUS?
Thanks!
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list