I looked around the section and noted that there have been some issues with Freeradius after upgrading to 21.1.7, but did not see something like what I stumbled upon so I'm not sure if this is connected.
I've had Freeradius set up in OPNsense to act as an authentication service for a wireless AP. It's using the fairly usual self-signed "root" CA -> intermediate CA -> client/server certificate chain, generated outside OPNsense and imported.
This setup has been working without a hitch for quite a while, but now after upgrading to 21.1.7 (from 21.1.6) my wireless clients are no longer authenticated and unable to connect. Nothing has been changed in the configuration in the clients, AP or even in OPNsense side, yet for some reason Freeradius is now apparently unable to find the issuer certificate:
Sun Jun 27 08:34:47 2021 : ERROR: (64) eap_tls: ERROR: SSL says error 2 : unable to get issuer certificate
Sun Jun 27 08:34:47 2021 : ERROR: (64) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
Sun Jun 27 08:34:47 2021 : ERROR: (64) eap_tls: ERROR: (TLS) Server : Error in error
Freeradius is configured to use a server certificate signed with the intermediate CA, and this server certificate can be seen in System -> Trust -> Certificates and is recognized to be issued by the intermediate CA.
This in turn is in System -> Trust -> Authorities, shown as issued by the root CA which also is present there, issued by self-issued as it should.
After reverting the freeradius3 package using opnsense-revert -r 21.1.6 freeradius3 authentication works again.