CA.all and CA.certs in Freeradius 2.x
tnt at kalik.net
tnt at kalik.net
Wed Oct 8 15:00:24 CEST 2008
Try with ca-server bundle:
cat ca.pem server.pem > cabundle.pem
Use that as CAfile and export (appropriate version) to the clients.
Ivan Kalik
Kalik Informatika ISP
Dana 8/10/2008, "Vegard Svanberg" <vegard at svanberg.no> piše:
>* Vegard Svanberg <vegard at svanberg.no> [2008-10-07 12:16]:
>
>> > Perhaps you should bother reading the mysteriously named file README in
>> > /certs directory before asking questions.
>>
>> Seems the file got lost during the transition from 1.x. Thanks!
>
>Hm, something is not working right, but I'm not sure where. Created (ca,
>server, client) certificates per the instructions in the README file.
>Enabled EAP-TLS in eap.conf and verified that paths etc are correct.
>Then created the client certificate and imported it on the client. -X
>gives me this before it fails:
>
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] Request found, released from the list
>[eap] EAP/tls
>[eap] processing type tls
>[tls] Authenticate
>[tls] processing EAP-TLS
> TLS Length 1497
>[tls] Length Included
>[tls] eaptls_verify returned 11
>[tls] <<< TLS 1.0 Handshake [length 0393], Certificate
>--> verify error:num=20:unable to get local issuer certificate
>[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>TLS Alert write:fatal:unknown CA
> TLS_accept:error in SSLv3 read client certificate B
>rlm_eap: SSL error error:140890B2:SSL
>routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>SSL: SSL_read failed in a system call (-1), TLS session fails.
>TLS receive handshake failed during operation
>[tls] eaptls_process returned 4
>[eap] Handler failed in EAP/tls
>[eap] Failed in EAP select
>++[eap] returns invalid
>Failed to authenticate the user.
>Using Post-Auth-Type Reject
>+- entering group REJECT {...}
> expand: %{User-Name} -> testuser2
>
>Also, openssl can't verify the generated client certificate:
>
>$ openssl verify -CAfile ca.pem client.pem
>client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/emailAddress=test at email
>error 20 at 0 depth lookup:unable to get local issuer certificate
>
>Oh BTW, there is a small error in the README, on line 132 it reads:
>
>> The users certificate will be in "commonName.pem",
>> i.e. "user at example.com.pem".
>
>This is wrong; the Makefile is using emailAddress.
>
>--
>Vegard Svanberg <vegard at svanberg.no> [*Takapa at IRC (EFnet)]
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list