Hello, i'm having a similar problem but we are trying to change the radius certificate. We generated the Packetfence certificate by the Microsoft domain certification authority in order to have the CA certificate already trusted on our domain workstations. We exported the CA certificate and the Packetfence certificate in base64 format and tried install this certificates on PF but we obtain an error because the certification chain is invalid. There is no intermediate CA, the root CA directly released the the PF certificate but this seems not work, also disabling "Find RADIUS Server intermediate CA(s) automatically" does not work. Checks on bash with "openssl verify" command have success.
Can you suggest a way to solve this problem? Mirko Il giorno mar 14 mar 2023 alle ore 13:39 Mudrich, J. via PacketFence-users < [email protected]> ha scritto: > Hello Ludovic, > > > > thanks for the hint. It works. So adding my CA to the ca-certificates > wasn’t necessary? > > > > Kind regards > > Johannes > > > > > *Johannes Mudrich* > Mitarbeiter > IT > > Altmark-Klinikum gGmbH > Ernst-von-Bergmann-Straße 22 > 39638 Gardelegen > > Tel.: 03907 791229 > Fax.: 03907 791248 > Mail: [email protected] > > *Von:* Zammit, Ludovic [mailto:[email protected]] > *Gesendet:* Montag, 13. März 2023 16:35 > *An:* Mudrich, J. <[email protected]> > *Cc:* PacketFence-users <[email protected]> > *Betreff:* Re: [PacketFence-users] change HTTPs cert; chain invalid > > > > Hello Johannes, > > > > Turn off the intermediates fetch automatically and add your own ca > manually. > > > > PF can’t reach the intermediates so it fails. > > > > Thanks, > > > > *Ludovic Zammit* > *Product Support Engineer Principal Lead* > > *Cell:* +1.613.670.8432 > > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > > Connect with Us: > > <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > > > On Mar 10, 2023, at 2:32 AM, Mudrich, J. <[email protected]> > wrote: > > > > Hello Ludovic, > > > > yes, I am using an internal PKI. I even verified the chain with openssl: > > > > root@akgapf:/usr/local/pf/conf/ssl# openssl verify -CAfile > /etc/ssl/certs/akgaca.ak.local.pem server.crt > > server.crt: OK > > root@akgapf:/usr/local/pf/conf/ssl# openssl verify -CAfile > /etc/ssl/certs/akgaca.ak.local.pem server.pem > > server.pem: OK > > > > PF gives me the following error message: > > > > Failed verifying chain: error stdin: verification failed . Unable to fetch > all the intermediates through the information contained in the certificate. > You will have to upload the intermediate chain manually in x509 (Apache) > format. > > config/certificate/http > > > > There are no intermediates! > > > > you’ll find the chain attached. > > > > Kind regards > > Johannes > > > > > > > > > > > *Johannes Mudrich* > Mitarbeiter > IT > > Altmark-Klinikum gGmbH > Ernst-von-Bergmann-Straße 22 > 39638 Gardelegen > > Tel.: > > 03907 791229 > > Fax.: > > 03907 791248 > > Mail: > > [email protected] > > *Von:* Zammit, Ludovic [mailto:[email protected] <[email protected]>] > *Gesendet:* Donnerstag, 9. März 2023 21:07 > *An:* PacketFence-users <[email protected]> > *Cc:* Mudrich, J. <[email protected]> > *Betreff:* Re: [PacketFence-users] change HTTPs cert; chain invalid > > > > Hello Johannes, > > > > I’m assuming you are issuing a certificate from your internal PKI right ? > > > > Can you show me the chain and the error that you have currently ? > > > > Thanks, > > > > > *Ludovic Zammit* > *Product Support Engineer Principal Lead* > > *Cell:* +1.613.670.8432 > > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > > Connect with Us: > > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!Xu2-vkqy9fYUd9tzi-GCQCREO4Si-iN_JWTAF2wNAtm7Q0yiPq1inEXqCJf6OU17Z1QSAcMRplq9HkjPsn9_fPWhC3FN$> > <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Xu2-vkqy9fYUd9tzi-GCQCREO4Si-iN_JWTAF2wNAtm7Q0yiPq1inEXqCJf6OU17Z1QSAcMRplq9HkjPsn9_fN_9RWU_$> > <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Xu2-vkqy9fYUd9tzi-GCQCREO4Si-iN_JWTAF2wNAtm7Q0yiPq1inEXqCJf6OU17Z1QSAcMRplq9HkjPsn9_fNTS3lOw$> > <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Xu2-vkqy9fYUd9tzi-GCQCREO4Si-iN_JWTAF2wNAtm7Q0yiPq1inEXqCJf6OU17Z1QSAcMRplq9HkjPsn9_fMaIzvgm$> > > > > > On Mar 9, 2023, at 3:01 AM, Mudrich, J. via PacketFence-users < > [email protected]> wrote: > > > > Hi, > > > > I would like to change the existing HTTPs cert. So I created one in my own > CA. Added the cert and key into Configuration -> System Configuration -> > SSL Certificates. > > Then I added my CA root cert to /usr/local/share/ca-certificates and ran > update-ca-certificates. It’s now present in /etc/ssl/certs. > > > > But PF still says “Chain is invalid”. Do I need to add the root cert > somewhere else? > > > > Thanks > > Johannes > > > > > > *Johannes Mudrich* > Mitarbeiter > IT > > Altmark-Klinikum gGmbH > Ernst-von-Bergmann-Straße 22 > 39638 Gardelegen > > Tel.: > > 03907 791229 > > Fax.: > > 03907 791248 > > Mail: > > [email protected] > > > > > > <sah.png> > <https://urldefense.com/v3/__https:/www.salusaltmarkholding.de/__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPd9yqhOgg$> > > > Salus Altmark Holding gGmbH > Tel.: +49 39325700 <+4939325700> > Sitz der Gesellschaft: > Seepark 5 | 39116 Magdeburg > www.salusaltmarkholding.de > <https://urldefense.com/v3/__https:/www.salusaltmarkholding.de__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPeOhBf_Nw$> > > <instagram.png> > <https://urldefense.com/v3/__https:/www.instagram.com/salusaltmarkholding/__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPfRjBQXeg$> > <facebook.png> > <https://urldefense.com/v3/__https:/www.facebook.com/SalusAltmarkHolding__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPd_1ZGV3Q$> > <linkedin.png> > <https://urldefense.com/v3/__https:/de.linkedin.com/company/salus-ggmbh__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPcF1p6E3g$> > <xing.png> > <https://urldefense.com/v3/__https:/www.xing.com/pages/salusaltmarkholdingggmbh__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPduV2l-4Q$> > <youtube.png> > <https://urldefense.com/v3/__https:/www.youtube.com/user/SALUSgGmbH__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPdElWNwDQ$> > > Registergericht: AG Stendal: HRB 112594 > Geschäftsführer: Jürgen Richter > Aufsichtsratsvorsitz: Wolfgang Beck > Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch > gespeichert werden. Nähere Informationen: > www.salusaltmarkholding.de/datenschutz > <https://urldefense.com/v3/__https:/www.salusaltmarkholding.de/datenschutz__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPfFxdQOHA$> > > Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr > an. > Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. > > _______________________________________________ > PacketFence-users mailing list > [email protected] > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPdRm2s2vg$ > <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WsewEUs4-DrA1lKq2qVDSWViGAHRPk7SXJl2S32l-FT17Pq-N8PACTmx4ZPtueZ5vxBfBLQw-JNqMZTqdGHr0vJeNo6QdPdRm2s2vg$> > > > > <chain.pem> > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
