eap_peap: ERROR: TLS Alert read:fatal:unknown CA

Alan DeKok aland at deployingradius.com
Wed Nov 27 23:32:27 CET 2019

On Nov 27, 2019, at 7:10 AM, L. Rose <lists at lrose.de> wrote:
> First, thanks a lot for the help so far. I'm still trying to fix this issue, and it's really nice to be able to talk to some experts.
>>   Maybe set "min_tls_version = 1.2"
> I tried adding "tls_min_version = 1.2" (as I suppose that's the correct spelling of that option),

  Yes, that's right.

> but it didn't change the behavior. It still works on versions before #8e54822d..., and fails on versions after and including #8e54822d...
> However, I found out that adding auto_chain = no does indeed change something. It doesn't cause the newer (failing) versions to work (which is what I tested yesterday), but it also causes the older (working) versions to fail as well. Maybe our certificate chain isn't in order? What order is needed?

  From the comments in mods-available/eap:

		#  This file should contain the server certificate,
		#  followed by intermediate certificates, in order.
		#  i.e. If we have a server certificate signed by CA1,
		#  which is signed by CA2, which is signed by a root
		#  CA, then the "certificate_file" should contain
		#  server.pem, followed by CA1.pem, followed by
		#  CA2.pem.

>>   In the end, this is a certificate / OpenSSL issue.  FreeRADIUS just calls OpenSSL for the SSL magic.  If there's an issue with that, it is very rarely the fault of FreeRADIUS.
> But if it's an OpenSSL-issue, how can changing the freeradius build version have an impact? Doesn't it need to be somewhat related to freeradius, if downgrading fixes the issue?

  The patch asks OpenSSL to do a little more work.  Apparently this breaks things.

> And I thought that the error message "unknown CA" is issued by the client, as the client is rejecting the certificate when using newer versions of freeradius. Am I wrong?

  It could come from either end.  But here it's likely coming from the client.

  The issue then is that the certificate chain sent by the server uses a CA which the client doesn't know.  *Or* the certificate chain is missing a CA.

  Follow the instructions above to order the certificates properly, and it should work.  For some unknown reason, OpenSSL is unable to correctly produce certificate chains itself.  Spoon-feeding OpenSSL will fix that problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list