(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)

[noob]

Hi,

Thank you.

That sounds very complex for a noob like me. How would one do that, "merging the CA and the cert into one file"?



> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-
> bounces+reclamezooi=dorfox.com at lists.freeradius.org] On Behalf Of Tommy
> Scheunemann
> Sent: woensdag 27 december 2017 11:33
> To: FreeRadius users mailing list
> Subject: Re: (pfSense + Android): eap_tls: ERROR: TLS Alert
> read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3
> read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
> 
> Hi,
> 
> had a similar error recently with Android 7.x + FreeRadius 3.x the problem was
> the CA and the Cert FreeRadius presented to the world.
> The problem was fixed by merging the CA and the Certificate into one file that
> FreeRadius provides the complete chain.
> On the Android side importing the CA and 2 certs, one for WiFi, one for testing
> the cert chain with the corresponding options did the job.
> 
> ---
> Sent from my iP... nah, sent from my coffee machine
> 
> On Wed, 27 Dec 2017, noob wrote:
> 
> > Hello,
> >
> >
> >
> > This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
> >
> >
> >
> > What has worked fine and suddenly stops working is EAP-TLS, with my
> > Huawei
> > Honor8 Pro Android 7.0 smartphone.
> >
> >
> >
> > Small background: my main pfSense box broke down, so I took my backup
> > pfSense box, reinstalled pfSense, *created new CA certificate, Server
> > certificate and User certificate*, connected my smartphone with USB
> > cable to my PC, copied the CA cert and the User cert to the
> > smartphone, installed them using the normal Android setting for that
> > ('install certificates from SD card'), configured the Wireless
> > Connection in Android, in FreeRadius told it to of course use the CA
> > certificate and the Server certificate, customized the other settings,
> > and. for 6 hours now I'm trying to get something to work that does not
> > want to work. But worked yesterday --- and the years before it. Now,
> > EAP-TLS doesn't work. If I try a simple username and password: that works.
> It's simply the certificates that doesn't work.
> >
> >
> >
> > Those are the errors:
> >
> >
> >
> > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
> > read:fatal:certificate unknown
> >
> > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept:
> > Failed in
> > SSLv3 read client certificate A
> >
> > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in
> > __FUNCTION__
> > (SSL_read)
> >
> >
> >
> > Just to make sure: the certificate manager in pfSense generates all
> > three certificates *and stores them*, and the FreeRadius package
> > within the same pfSense uses two of these three certificates (once you
> > tell you point the package to the right certificates you generate,
> > which I did). Meaning: it's all integrated.
> >
> >
> >
> > This first error: to who is the certificate unknown? To the
> > smartphone? I've imported it 50.000 times again, and again, and again
> (really).
> >
> >
> >
> > I hope somebody can help me, because it all worked for years, and I
> > have no clue anymore what to do, after all these long hours L
> >
> >
> >
> > Thank you,
> >
> >
> >
> > Bye,
> >
> >
> >
> > PS I attached the debug log.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html