(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in FUNCTION (SSL_read)

Wed Dec 27 03:47:21 CET 2017

Hello,

This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).

What has worked fine and suddenly stops working is EAP-TLS, with my Huawei
Honor8 Pro Android 7.0 smartphone. 

Small background: my main pfSense box broke down, so I took my backup
pfSense box, reinstalled pfSense, *created new CA certificate, Server
certificate and User certificate*, connected my smartphone with USB cable to
my PC, copied the CA cert and the User cert to the smartphone, installed
them using the normal Android setting for that ('install certificates from
SD card'), configured the Wireless Connection in Android, in FreeRadius told
it to of course use the CA certificate and the Server certificate,
customized the other settings, and. for 6 hours now I'm trying to get
something to work that does not want to work. But worked yesterday --- and
the years before it. Now, EAP-TLS doesn't work. If I try a simple username
and password: that works. It's simply the certificates that doesn't work.

Those are the errors:

Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
read:fatal:certificate unknown

Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept: Failed in
SSLv3 read client certificate A

Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in __FUNCTION__
(SSL_read)

Just to make sure: the certificate manager in pfSense generates all three
certificates *and stores them*, and the FreeRadius package within the same
pfSense uses two of these three certificates (once you tell you point the
package to the right certificates you generate, which I did). Meaning: it's
all integrated.

This first error: to who is the certificate unknown? To the smartphone? I've
imported it 50.000 times again, and again, and again (really).

I hope somebody can help me, because it all worked for years, and I have no
clue anymore what to do, after all these long hours L

Thank you,

Bye,

PS I attached the debug log.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171227/8c5ba5a0/attachment-0001.txt>

(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)

(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in FUNCTION (SSL_read)