Failure with "TLS authentication" and "Freeradius on Fefora-17"
John Dennis
jdennis at redhat.com
Mon Jan 7 21:14:53 CET 2013
On 01/07/2013 02:41 PM, Ajay Garg wrote:
> Upon restarting, it shows a "missing server.pem" error.
> I reckon that we need to run "make server" too at some point of time (so
> that "server.pem" gets generated after "make destroycerts").
make destroycerts should have removed all the pem files and keys. After
running make again it will generate all new files. client has a
dependency on ca and server files so it should have created a new ca,
new server key and cert, a new client cert. Did it?
Just to be clear, your client needs to trust the CA that signed your
server cert and the server needs to trust the CA that signed your client
cert. Typically those are located on two different machines. Make sure
those line up or you're doomed. It's not clear to me which machines
you're running these commands on and where you're copying the resulting
files, but that's critical to get right. You can use the same CA to
sign both the server cert and the client cert, but that's not a
requirement, it just helps simplify the deployment a tad bit.
> HOWEVER, I am now confused which "ca.pem" to consider, the one generated
> via "make server", or the one generated via "make client"?
Argh... you really need to be much more clear with what you're doing. If
you're running the cert creation commands on different machines and
leaving the results on that machine this will never work.
Make sure you understand the RELATIONSHIP BETWEEN A CERTIFICATE AND IT'S
SIGNER (issuing CA) and how that translates to the configuration
parameters for each software component (see above).
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list