The below warning message looks a bit like it was produced by OpenSSL, but pretty sure it actually comes from the freeradius server code, which appears to use one of the OpenSSL certificate checking callback mechanisms. So you should ask there what the exact intention for this warning is and how to prevent it.
To me the below warnings looks strange because usually at depth 0 and 1 of a cert chain (i.e., at the positions of the end entity cert and any subsequent intermediate cert) it is normal to have untrusted certs. Usually only at the end of the chain you have a trusted cert that represents the trust anchor for the chain.
Some information on the OpenSSL view on trusted/untrusted certs can be fount at https://beta.openssl.org/docs/manmaster/man1/openssl-verification-options.html
David
On Fri, 2022-07-15 at 22:38 +0200, Kamil Jońca wrote:
I have freeradius server configured to use EAP-TLS(certificate baset authn)Since some time I have warning in logs:--8<---------------cut here---------------start------------->8---Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-caFri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=Mazowieckie/O=beta/OU=wifi/CN=salamandra--8<---------------cut here---------------end--------------->8---I took a look into code and it seems to be related to"X509_STORE_CTX_get0_untrusted(ctx)" function.I tried to search, but without success.Can anyone tell me when certificate is "trusted" in this context?(How to get rid this warning) or point to documentation/search keysKJ--