(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)

[Tommy Scheunemann]

Hi,

a simple:

cat your_server_cert.crt your_root.ca > server.crt

should do it so the full chain of your root + your server certificate is 
provided.
For the client side exporting the client cert, client private key and your 
CA into a PKCS12, then importing it on your Android device should do it.

---
Sent from my iP... nah, sent from my coffee machine

On Wed, 27 Dec 2017, noob wrote:

> Hi,
>
> Thank you.
>
> That sounds very complex for a noob like me. How would one do that, "merging the CA and the cert into one file"?
>
>
>
>> -----Original Message-----
>> From: Freeradius-Users [mailto:freeradius-users-
>> bounces+reclamezooi=dorfox.com at lists.freeradius.org] On Behalf Of Tommy
>> Scheunemann
>> Sent: woensdag 27 december 2017 11:33
>> To: FreeRadius users mailing list
>> Subject: Re: (pfSense + Android): eap_tls: ERROR: TLS Alert
>> read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3
>> read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
>>
>> Hi,
>>
>> had a similar error recently with Android 7.x + FreeRadius 3.x the problem was
>> the CA and the Cert FreeRadius presented to the world.
>> The problem was fixed by merging the CA and the Certificate into one file that
>> FreeRadius provides the complete chain.
>> On the Android side importing the CA and 2 certs, one for WiFi, one for testing
>> the cert chain with the corresponding options did the job.
>>
>> ---
>> Sent from my iP... nah, sent from my coffee machine
>>
>> On Wed, 27 Dec 2017, noob wrote:
>>
>>> Hello,
>>>
>>>
>>>
>>> This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
>>>
>>>
>>>
>>> What has worked fine and suddenly stops working is EAP-TLS, with my
>>> Huawei
>>> Honor8 Pro Android 7.0 smartphone.
>>>
>>>
>>>
>>> Small background: my main pfSense box broke down, so I took my backup
>>> pfSense box, reinstalled pfSense, *created new CA certificate, Server
>>> certificate and User certificate*, connected my smartphone with USB
>>> cable to my PC, copied the CA cert and the User cert to the
>>> smartphone, installed them using the normal Android setting for that
>>> ('install certificates from SD card'), configured the Wireless
>>> Connection in Android, in FreeRadius told it to of course use the CA
>>> certificate and the Server certificate, customized the other settings,
>>> and. for 6 hours now I'm trying to get something to work that does not
>>> want to work. But worked yesterday --- and the years before it. Now,
>>> EAP-TLS doesn't work. If I try a simple username and password: that works.
>> It's simply the certificates that doesn't work.
>>>
>>>
>>>
>>> Those are the errors:
>>>
>>>
>>>
>>> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
>>> read:fatal:certificate unknown
>>>
>>> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept:
>>> Failed in
>>> SSLv3 read client certificate A
>>>
>>> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in
>>> __FUNCTION__
>>> (SSL_read)
>>>
>>>
>>>
>>> Just to make sure: the certificate manager in pfSense generates all
>>> three certificates *and stores them*, and the FreeRadius package
>>> within the same pfSense uses two of these three certificates (once you
>>> tell you point the package to the right certificates you generate,
>>> which I did). Meaning: it's all integrated.
>>>
>>>
>>>
>>> This first error: to who is the certificate unknown? To the
>>> smartphone? I've imported it 50.000 times again, and again, and again
>> (really).
>>>
>>>
>>>
>>> I hope somebody can help me, because it all worked for years, and I
>>> have no clue anymore what to do, after all these long hours L
>>>
>>>
>>>
>>> Thank you,
>>>
>>>
>>>
>>> Bye,
>>>
>>>
>>>
>>> PS I attached the debug log.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html