eap_peap: ERROR: TLS Alert read:fatal:unknown CA

L. Rose lists at lrose.de
Wed Nov 27 13:10:56 CET 2019

First, thanks a lot for the help so far. I'm still trying to fix this 
issue, and it's really nice to be able to talk to some experts.
>    Maybe set "min_tls_version = 1.2"

I tried adding "tls_min_version = 1.2" (as I suppose that's the correct 
spelling of that option), but it didn't change the behavior. It still 
works on versions before #8e54822d..., and fails on versions after and 
including #8e54822d...

However, I found out that adding auto_chain = no does indeed change 
something. It doesn't cause the newer (failing) versions to work (which 
is what I tested yesterday), but it also causes the older (working) 
versions to fail as well. Maybe our certificate chain isn't in order? 
What order is needed?

>    In the end, this is a certificate / OpenSSL issue.  FreeRADIUS just calls OpenSSL for the SSL magic.  If there's an issue with that, it is very rarely the fault of FreeRADIUS.

But if it's an OpenSSL-issue, how can changing the freeradius build 
version have an impact? Doesn't it need to be somewhat related to 
freeradius, if downgrading fixes the issue?

And I thought that the error message "unknown CA" is issued by the 
client, as the client is rejecting the certificate when using newer 
versions of freeradius. Am I wrong?

Thanks again for your time,


More information about the Freeradius-Users mailing list