Freeradius doesn't like the old LetsEncrypt chain / 2023-02-03

2023-02-03 Freeradius doesn't like the old LetsEncrypt chain
I was doing some testing with freeradius and suddenly nothing worked with the following error in debug mode:
(7) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(7) eap_peap: TLS_accept: Need to read more data: error
(7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
I checked the certificate and renewed it. The normal autorenewal processes had not run since the previous tests with radius and 802.1x authentication on wifi so that wasn't unexpected but this still didn't solve it: I kept getting the error message.

After some deep searching why it worked before I saw I had requested that certificate in a different way where I had the chain with only ISRG Root X1 because sendmail gave me SSL verification failures after the DST Root CA expired. So I did the same as I did before: I configured dehydrated (my preferred ACME client) on the radius testmachine to use the LetsEncrypt issuer chain without the DST Root CA cross signature, with the following in /etc/dehydrated/config :
# Preferred issuer chain (default: <unset> -> uses default chain)
PREFERRED_CHAIN="ISRG Root X1"

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.007630 seconds.