I can't comment on the full chain from Let's Encrypt as I'm not knowledgeable about that. However one other option would be to buy a cert from a provider that already has trusted CA certs in IOS/Android and then the personal devices would trust the cert without needing CA info maybe?
On Mon, Dec 8, 2025 at 1:41 PM Abdlmalek Luttei <[email protected]> wrote: > Hi Aaron, > Thanks a lot for the clarification. > In my case, the environment is fully *BYOD*, so unfortunately I can’t > rely on MDM or any manual installation of CA/intermediate certificates on > the users’ devices. Because of that, I’m trying to achieve a setup where > iOS devices automatically trust the RADIUS certificate during 802.1X > onboarding without requiring any user interaction. > That’s why I wanted to confirm whether PacketFence can be configured to > *automatically > serve the complete Let’s Encrypt chain* (leaf + intermediate + root) > during the EAP handshake. If PF already builds and sends the full chain by > default, then I may need to verify why iOS is still classifying the > certificate as “Not Trusted.” > Is there any way within PacketFence to ensure the full chain is always > included during RADIUS authentication specifically for BYOD onboarding? Or > any recommended configuration to avoid iOS trust warnings when no MDM is > involved? > Any guidance would be greatly appreciated. > Best regards, > Abdlmalik > > ------------------------------ > *From:* Aaron Zuercher via PacketFence-users < > [email protected]> > *Sent:* Thursday, November 20, 2025 10:42 PM > *To:* [email protected] < > [email protected]> > *Cc:* Aaron Zuercher <[email protected]> > *Subject:* Re: [PacketFence-users] iOS Not Trusting RADIUS Certificate > (Let’s Encrypt Chain Issue – PF 14.1) > > Hello, > we are on PF 13.2 still but if you goto Configuration > SSL Certificates > and Radius tab you will see the full chain of LE certs including CA and > Intermediate certs. Also PF will auto-renew the certs monthly. > > We deliver all the necessary certs to our apple devices via MDM. > > Aaron > > On Sat, Nov 8, 2025 at 9:41 AM Abdlmalek Luttei via PacketFence-users < > [email protected]> wrote: > > Hi all, > > > After setting up 802.1X on a new SSID (PacketFence 14.1, Let’s Encrypt > cert), my iPhone sees the RADIUS cert but flags it as Not Trusted. I > double-checked I’m using the right cert. It looks like FreeRADIUS isn’t > sending the full chain during EAP (leaf + intermediate), so iOS can’t > validate it. > > > Questions: > > > 1. Is there a GUI path in PF to make RADIUS serve the full chain? > (Exact menu/fields would help.) > 2. If this has to be done manually, which files should I point RADIUS > to (fullchain vs cert, CA bundle, etc.), and which service(s) should I > reload after changes? > 3. For renewals with Let’s Encrypt, what’s the recommended way to keep > RADIUS picking up the new full chain automatically? (e.g., a post-renew > hook, symlink, and the right reload command?) > > > > > Thanks in advance for any pointers or examples. > > > Best, > Abdlmalik > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
