(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)

[Tommy Scheunemann]

Hi,

had a similar error recently with Android 7.x + FreeRadius 3.x the problem 
was the CA and the Cert FreeRadius presented to the world.
The problem was fixed by merging the CA and the Certificate into one file 
that FreeRadius provides the complete chain.
On the Android side importing the CA and 2 certs, one for WiFi, one for 
testing the cert chain with the corresponding options did the job.

---
Sent from my iP... nah, sent from my coffee machine

On Wed, 27 Dec 2017, noob wrote:

> Hello,
>
>
>
> This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
>
>
>
> What has worked fine and suddenly stops working is EAP-TLS, with my Huawei
> Honor8 Pro Android 7.0 smartphone.
>
>
>
> Small background: my main pfSense box broke down, so I took my backup
> pfSense box, reinstalled pfSense, *created new CA certificate, Server
> certificate and User certificate*, connected my smartphone with USB cable to
> my PC, copied the CA cert and the User cert to the smartphone, installed
> them using the normal Android setting for that ('install certificates from
> SD card'), configured the Wireless Connection in Android, in FreeRadius told
> it to of course use the CA certificate and the Server certificate,
> customized the other settings, and. for 6 hours now I'm trying to get
> something to work that does not want to work. But worked yesterday --- and
> the years before it. Now, EAP-TLS doesn't work. If I try a simple username
> and password: that works. It's simply the certificates that doesn't work.
>
>
>
> Those are the errors:
>
>
>
> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
> read:fatal:certificate unknown
>
> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept: Failed in
> SSLv3 read client certificate A
>
> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in __FUNCTION__
> (SSL_read)
>
>
>
> Just to make sure: the certificate manager in pfSense generates all three
> certificates *and stores them*, and the FreeRadius package within the same
> pfSense uses two of these three certificates (once you tell you point the
> package to the right certificates you generate, which I did). Meaning: it's
> all integrated.
>
>
>
> This first error: to who is the certificate unknown? To the smartphone? I've
> imported it 50.000 times again, and again, and again (really).
>
>
>
> I hope somebody can help me, because it all worked for years, and I have no
> clue anymore what to do, after all these long hours L
>
>
>
> Thank you,
>
>
>
> Bye,
>
>
>
> PS I attached the debug log.