2023-02-03
Freeradius doesn't like the old LetsEncrypt chain
I was doing some testing with freeradius and suddenly nothing worked with the following error in debug mode:(7) eap_peap: ERROR: TLS Alert read:fatal:certificate expired (7) eap_peap: TLS_accept: Need to read more data: error (7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expiredI checked the certificate and renewed it. The normal autorenewal processes had not run since the previous tests with radius and 802.1x authentication on wifi so that wasn't unexpected but this still didn't solve it: I kept getting the error message. After some deep searching why it worked before I saw I had requested that certificate in a different way where I had the chain with only ISRG Root X1 because sendmail gave me SSL verification failures after the DST Root CA expired. So I did the same as I did before: I configured dehydrated (my preferred ACME client) on the radius testmachine to use the LetsEncrypt issuer chain without the DST Root CA cross signature, with the following in /etc/dehydrated/config :# Preferred issuer chain (default: <unset> -> uses default chain) PREFERRED_CHAIN="ISRG Root X1"