Hi, nobody knows how setup freeradius to check new CRL lists? Should I provide more information (it is not easy to take output from radiusd -X, but if it is essential I can try it)?
Thank you for any suggestion — Martin Čmelík 2011/11/10 Martin Čmelík <martin.cme...@gmail.com>: > Hi, > > I downloaded current stable freeradius version 2.1.12 and import > configuration from old server (rewrite etc/raddb). > Everything seems to be OK, but I must now add another two trusted CAs > into ca.pem and also enable checking against CRL files as for other. > > Lets say that eap.conf is setup by default: > > tls { > certdir = ${confdir}/certs > cadir = ${confdir}/certs > private_key_password = whatever > private_key_file = ${certdir}/server.pem > certificate_file = ${certdir}/server.pem > CA_file = ${cadir}/ca.pem > dh_file = ${certdir}/dh > random_file = ${certdir}/random > check_crl = yes > CA_path = ${cadir} > cipher_list = "DEFAULT" > make_cert_command = "${certdir}/bootstrap" > ecdh_curve = "prime256v1" > cache { > enable = no > max_entries = 255 > } > verify { > } > ocsp { > enable = no > override_cert_url = yes > url = "http://127.0.0.1/ocsp/" > } > > One of our script downloading CRL files every 20 minutes, move them to > certs directory and c_rehash them. > > It works for old certificates (4x CAs) but doesn't work for two which I add > now. > > When somebody with certificate issued by new CA try to login I see > this error in log: > > Thu Nov 10 12:56:51 2011 : Error: --> verify error:num=3:unable to get > certificate CRL > Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get > certificate CRL): [John Smith] (from client some-device port 29 cli > AA-BB-CC-DD-EE-FF) > > Hash are generated well: > > lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 21e0d39d.r0 -> crl3.pem > lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 3cc8c9a0.r0 -> crl6.pem > lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 5a64316f.0 -> radius.crt > lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 5be750ed.r0 -> crl2.pem > lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 68db0f86.0 -> radius.pem > lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 92b2a332.r0 -> crl5.pem > lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 b0f3e76e.r0 -> crl4.pem > lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 f31b716b.r0 -> crl1.pem > lrwxrwxrwx 1 radius radius 6 Nov 10 16:19 f6efabfa.0 -> ca.pem > > ... > > My question is: How freeradius find correct CRL list and check if user > certificate is still valid? > > This radius server has been setup by colleague many years ago and he > cant remember how he do this :] > > Thank you very much because there is lack of any information about it > on Internet > > — > Martin Čmelík > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html