Letsencrypt certificate for RADIUS service

Hello,

We use let's encrypt certificates for Eduroam service with EAP PEAP authentication via RADIUS (Remote Authentication Dial In User Service). It works except about 20 % of cases where not. One of the problem is caused by Microsoft Windows 10 systems, where user is getting error:
0x80420203 - The server certificate being used for authentication has been revoked

E.g., in Windows 11 or Linux, ios it is working ok. LE certificates are correctly issued and signed by ISRG X1 Root certificate. Moreover, we can see that the ISRG X1 Root certificate is installed in the Windows 10 system, but I am aware that Windows have several certificate stores.

Does anyone know solution how to deal with this problem except forcibly updating to Windows 11?

Well, the error message indicates the server's certificate has been revoked. Has it been?

You can check https://crt.sh/ to see if it's been revoked.

1 Like

seems to be good.

Which certificate chain is your RADIUS server sending?

"Certificate → R3 → ISRG Root X1 (cross-sign)" or the shorter "Certificate → R3" one?

3 Likes

it should send whole chain, but will double check this tomorrow.

    EAPTLS_CertificateChainFile     %{GlobalVar:ConfigDir}/certs/fullchain.pem
    EAPTLS_PrivateKeyFile           %{GlobalVar:ConfigDir}/certs/privkey.pem

btw, it is not ISRG X1 crosssign, but selfsign, don't know if I can get LE cert signed by crosssigned X1?

The default certificate chain that Let's Encrypt sends today, contains the "ISRG Root X1" certificate cross-signed by "DST Root CA X3".

It might be helpful to post the contents of your fullchain.pem.

I originally asked this question because there is a version of R3 which is revoked, but it's probably super unlikely that you're encountering that.

3 Likes

fullchain.pem (4.0 KB)
here it is. btw, I see it actually does not contain ISRG Root X1 certificate, only R3.

On the linux box using wpa supplicant, I can see:

Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=Internet Security Research Group/CN=ISRG Root X1' hash=96bcec06264976f374
60779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Let's Encrypt/CN=R3' hash=67add1166b020ae61b8f5fc96813c04c2aa589960796865
572a3c7e737613dfd
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=radius.muni.cz' hash=a38d8a6f5c0f9838fcd351c8ed14aec8e3aaa61f76f2eb09290f7220
a4dff1da
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:hellion.ics.muni.cz
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.muni.cz
Oct 27 10:49:42 anubis wpa_supplicant[591]: EAP-MSCHAPV2: Authentication succeeded

You're on the short chain. It looks fine, don't know why Windows would complain about revocation.

Are those problematic Windows 10 machines able to load https://valid-isrgrootx1.letsencrypt.org:443 okay? Is there some way to make your RADIUS client try connect to that host and port and see whether it hits a TLS verification error? And whether it's a different output to https://helloworld.letsencrypt.org:443/?

3 Likes

In browser, there is no problem on the Windows 10:

the result is the same for helloworld.letsencrypt

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.