Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius Let's Encrypt DST Root CA X3

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darkfire
      last edited by

      Hello Forum,

      we use the freeradius3 (0.15.7_32) package on pfsense with EAP and Let's Encrypt. Now we have the problem that whenever we save the config in the WebUI the old Root CA Cert (DST Root CA X3) from Let's Encrypt is also imported into the certs/server_cert.pem. This causes a cert expired error on the clients.

      does anyone know the problem? or does anyone have a solution for it?

      DerelictD 1 Reply Last reply Reply Quote 1
      • DerelictD
        Derelict LAYER 8 Netgate @darkfire
        last edited by

        @darkfire Delete the old CA?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          darkfire
          last edited by

          where and how should I delete the old ca cert? it is not in the cert manager.!

          Screenshot_2022-01-02_09-31-06.png

          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @darkfire
            last edited by

            @darkfire Is it in the freeradius package CAs somewhere?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              darkfire
              last edited by

              i have already removed the DST Root CA X3 Cert from the file /usr/local/share/certs/ca-root-nss.crt and the folder /usr/share/certs/trusted/ and run a certctl rehash, but without success. Does the freeradius3 package have its own CA-Cert store? Where should it be?

              DerelictD GertjanG 2 Replies Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @darkfire
                last edited by

                @darkfire Honestly I don't know. I would look through the freeradius3 package and see if you can find it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @darkfire
                  last edited by Gertjan

                  @darkfire said in Freeradius Let's Encrypt DST Root CA X3:

                  i have already removed the DST Root CA X3 Cert from the file /usr/local/share/certs/ca-root-nss.crt and the folder /usr/share/certs/trusted/ and run a certctl rehash, but without success.

                  Humm, your right, it's in there :

                      ......
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT
    ......

                  But I'm not using it. That is, I don't use a certificate derived from this one.
                  ( there are more certs in that file that are expired - it's not an issue)

                  @darkfire said in Freeradius Let's Encrypt DST Root CA X3:

                  Does the freeradius3 package have its own CA-Cert store? Where should it be?

                  Noop. Nothing there.

                  I've the FreeRadius package installed years ago, and if I recall well, when installing, I had to create a CA (FreeRADIUS CA) and a certificate (FreeRADIUS Server Certificate).
                  These are used in my FreeRadius setup right now.

                  No need neither reference to the "Let's Encrypt DST Root CA X3".

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • D
                    darkfire
                    last edited by

                    @gertjan On newer Android versions it is required to have a valid SSL Cert for the Radius service, therefore we use the LE Cert.

                    Yes, if I manually remove the "DST Root CA X3" from the Freeradius server cert, everything works.

                    1 Reply Last reply Reply Quote 0
                    • V VictorRobellini referenced this topic on
                    • V VictorRobellini referenced this topic on
                    • V VictorRobellini referenced this topic on
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.