Unknown CA errors
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Wed Feb 23 20:36:06 CET 2011
Hi,
> In my eap.conf I see the following:
> # This parameter is used only for EAP-TLS,
> # when you issue client certificates. If you do
> # not use client certificates, and you do not want
> # to permit EAP-TLS authentication, then delete
> # this configuration item.
> #CA_file = ${cadir}/ca.pem
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/radius-server.crt
so, if you dont use CA_file then you must have the server cert AND
its CA chained in the certificate_file
> And I'm getting these errors logged from time to time.
> Feb 23 13:05:07 avocet radiusd[15992]: TLS Alert read:fatal:unknown CA Feb
> 23 13:05:07 avocet radiusd[15992]: rlm_eap: SSL error error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
the client has tried to use the wrong CA to deal with you.
alan
More information about the Freeradius-Users
mailing list