Failure with "TLS authentication" and "Freeradius on Fefora-17"
ajaygargnsit at gmail.com
Mon Jan 7 21:32:57 CET 2013
I am confused.
I will be grateful if you could specify the sequence of commands to be
run after "make destroycerts".
Note that ::
Running JUST "make client" generates "client.pem" and "ca.pem", but no
Running JUST "make" generates "server.pem" and "ca.pem", but no
On Tue, Jan 8, 2013 at 1:44 AM, John Dennis <jdennis at redhat.com> wrote:
> On 01/07/2013 02:41 PM, Ajay Garg wrote:
>> Upon restarting, it shows a "missing server.pem" error.
>> I reckon that we need to run "make server" too at some point of time (so
>> that "server.pem" gets generated after "make destroycerts").
> make destroycerts should have removed all the pem files and keys. After
> running make again it will generate all new files. client has a dependency
> on ca and server files so it should have created a new ca, new server key
> and cert, a new client cert. Did it?
> Just to be clear, your client needs to trust the CA that signed your
> server cert and the server needs to trust the CA that signed your client
> cert. Typically those are located on two different machines. Make sure
> those line up or you're doomed. It's not clear to me which machines you're
> running these commands on and where you're copying the resulting files, but
> that's critical to get right. You can use the same CA to sign both the
> server cert and the client cert, but that's not a requirement, it just
> helps simplify the deployment a tad bit.
> HOWEVER, I am now confused which "ca.pem" to consider, the one generated
>> via "make server", or the one generated via "make client"?
> Argh... you really need to be much more clear with what you're doing. If
> you're running the cert creation commands on different machines and leaving
> the results on that machine this will never work.
> Make sure you understand the RELATIONSHIP BETWEEN A CERTIFICATE AND IT'S
> SIGNER (issuing CA) and how that translates to the configuration parameters
> for each software component (see above).
> John Dennis <jdennis at redhat.com>
> Looking to carve out IT costs?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users