freeradius - certificate verify failed

[rune.t...@gmail.com]

hi guys, getting certificate error... i got a valid cert and when accessing selfservice and /manage all is OK - using a sha256 wildcard cert in apache2

getting the below error from freeradius - how to fix?

Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/linotp
+- entering group authenticate {...}
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
rlm_perl: Default URL https://linotp01.mydomain.com/validate/simplecheck
rlm_perl: RAD_REQUEST: NAS-IP-Address = 101.11.51.101
rlm_perl: RAD_REQUEST: User-Password = 621654
rlm_perl: RAD_REQUEST: Message-Authenticator = 0xe632e9399c7e2244b5f729c7898c3183
rlm_perl: RAD_REQUEST: NAS-Identifier = ctxsg.mydomain.com
rlm_perl: RAD_REQUEST: User-Name = te...@somedomain.com
rlm_perl: Auth-Type: perl
rlm_perl: Url: https://linotp01.mydomain.com/validate/simplecheck
rlm_perl: User: te...@somedomain.com
rlm_perl: urlparam client = 101.11.51.101
rlm_perl: urlparam pass = 621654
rlm_perl: urlparam user = te...@somedomain.com
rlm_perl: urlparam realm = myadsite
rlm_perl: perl_embed:: module = /usr/lib/linotp/radius_linotp.pm , func = authenticate exit status= Error at https://linotp01.mydomain.com/validate/simplecheck 500 Can't connect to linotp01.mydomain.com:443 (certificate verify failed) Aborting at /usr/lib/linotp/radius_linotp.pm line 282.
rlm_perl: Added pair NAS-IP-Address = 101.11.51.101
rlm_perl: Added pair User-Password = 621654
rlm_perl: Added pair Message-Authenticator = 0xe632e9399c7e2244b5f729c7898c3183
rlm_perl: Added pair NAS-Identifier = ctxsg.mydomain.com
rlm_perl: Added pair User-Name = te...@somedomain.com
rlm_perl: Added pair Auth-Type = perl
++[perl] returns reject
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request

[Mirko Ahnert]

Hi Rune,

please make sure SSL_CHECK=False is set in /etc/linotp2/rlm_perl.ini

But what is more likely the problem:

FreeRADIUS uses openssl for connecting. And if openssl does not support sha256 it is not going to work... You can check the supported ciphers with:

openssl ciphers

Kind regards,

Mirko

-- 

Mirko Ahnert 

LSE Leading Security Experts GmbH, http://www.lsexperts.de 

Postfach 100121, 64201 Darmstadt, Germany 

Zentrale: +49 6151 86086-0 , Fax: -299 

Support Hotline: +49 6151 86086-115 

Unternehmenssitz: Weiterstadt Amtsgericht Darmstadt: HRB8649 

Geschäftsführer: Oliver Michel, Sven Walther 

[Rune Tipsmark]

hi Mirko,

it was set to false, had checked it. I put on an old wildcard cert with SHA1 but same result... still OK in browsers.

openssl ciphers | grep SHA256 showed quite a few SHA256 options so I think it must be supported.

any other ideas?

[Rune Tipsmark]

I added SSLCertificateChainFile to /etc/apache2/sites-enabled/linotp2.cconf and pointed to my intermediate CA certificate (Rapid SSL) and all good now...

[slasi...@lbl.gov]

I think it's safe to say that this parameter does not work:


```
# openssl ciphers | grep SHA256
(Shows many SHA256 ciphers)
# grep SSL_CHECK /etc/linotp2/rlm_perl.ini
SSL_CHECK=False
# radiusd -X

...
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!

...
rlm_perl: LinOTP Request failed: at https://linotp.example.org/validate/simplecheck Details: 500 Can't connect to linotp.example.org:443 (certificate verify failed)

Failed to authenticate the user.

...
```

The only way to work around this is to fix the actual certificate handshaking problems between the client & the server. We should always do that for production anyways, but it can cause a headache when evaluating LinOTP as a solution.

-= Stefan