[SOLVED] Freeradius - How to renew default server certificate?

Started by spopinski, February 24, 2023, 10:50:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 24, 2023, 10:50:20 AM Last Edit: February 26, 2023, 04:14:09 AM by spopinski
Hi,

I'm doing this on single appliance test environment. How can I renew the default server certificate? Suddenly Windows clients won't connect and the logs were showing expired server certificate errors. Mobile phones still working fine.
QuoteAuth: (5) Login incorrect (eap_peap: (TLS) Alert read:fatal:certificate expired): [admin] (from client APs port 69 cli 30-24-32-46-C6-FC)   

Thanks!

Edit: Found this tutorial for Linux:
https://agix.com.au/freeradius-certificate-has-expired-solution/

How do I do this in Opnsense?
February 24, 2023, 11:38:54 AM #1
System, trust, certificates

You may want to give some more background info (PKI structure?) if that doesn't fix your issue
February 24, 2023, 12:24:45 PM #2
Hi, thanks for the reply.

I'm not using the Opnsense cert manager and only use the supplied default cert from freeradius pkg.
February 24, 2023, 01:28:43 PM #3
openssl x509 -in <cert.pem> -noout -text | less

Check the expiry of each cert in your chain and renew as required. If that is your root CA cert, you'll need to generate a new PKI from scratch.

How do your Windows clients get their certs? GPO?

Bart...
February 24, 2023, 01:55:49 PM #4
Thanks Bart, will try it out later.

Not using GPO as this is just a small test env and it have multiple OS clients. So, all manual.
February 26, 2023, 04:13:44 AM #5
Update:

Solved by first editing all the necessary .cnf files in the /usr/local/etc/raddb/certs directory (I use WinSCP), stop the freeradius from the web GUI, moved all the all old certs to a backup folder, and then execute the command ./bootstrap

Restarted the Freeradius server and watch the log to see any error. None so far!

Thanks
Print
Go Up Pages1
User actions