Thanks John<br><br>I am indeed looking for a ground-zero-solution :)<br><br><br><div class="gmail_quote">On Tue, Jan 8, 2013 at 12:14 AM, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 01/07/2013 12:18 PM, Ajay Garg wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks Alan, and A.L.M.<br>
<br>
I too thought the same looking at the "decrypt failure messages".<br>
<br>
As I told in my startup-mail on this thread, the procedure ::<br>
<br>
su -<br>
cd /etc/raddb/certs<br>
make clean<br>
make client.pem<br>
<br>
makes TLS-authentication works perfectly fine for Fedora-14-freeradius,<br>
but not for Fedora-17-freeradius (and I am talking of the vanilla<br>
"gnome-way" of connecting, as is evident from the snapshot).<br>
</blockquote>
<br></div>
First of all there is no such version as Fedora-XX-freeradius, there is however the version of freeradius which happens to be installed. At different points in time Fedora releases will have had different versions of freeradius available. You can find out which version you have installed via either<br>
<br>
rpm -q freeradius<br>
<br>
or<br>
<br>
yum innfo freeradius<br>
<br>
It's a little hard to tell from you're series of steps but I suspect you're not using a client cert signed by the CA you've configured.<br>
<br>
Or the issuing signer (the CA) cert has expired. We deliberately set the validity period to a very short value (60 days) on the *temporary* certs which get created during the freeradius server install to force you to pay attention to the fact these are temporary certs created during install to play around with and are not appropriate for deployment (at least not without editing the configuration files to set the values to your organization).<br>
<br>
Thus I would check the following:<br>
<br>
1) Is the CA cert still valid?<br>
<br>
2) Is the CA cert used to sign the client cert the same one in the CA cert bundle the server is using.<br>
<br>
You could go back to square one if the above does not help you.<br>
<br>
1) Clean all the certs in /etc/raddb/certs by cd'ing to that directory and running "make destroycerts"<br></blockquote><div><br>Done.<br><br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
2) Then run "make client", that should recreate the *both* the CA cert and the server cert first, then it will create the client cert signed by the new CA.<br></blockquote><div><br>Done.<br><br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
3) restart the server and and redeploy the client cert.</blockquote><div><br>Upon restarting, it shows a "missing server.pem" error.<br>I reckon that we need to run "make server" too at some point of time (so that "server.pem" gets generated after "make destroycerts").<br>
<br>HOWEVER, I am now confused which "ca.pem" to consider, the one generated via "make server", or the one generated via "make client"?<br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Do certs need to be generated differently in Fedora-17 freeradius?<br>
</blockquote>
<br>
<br>
<br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
John Dennis <<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>><br>
<br>
Looking to carve out IT costs?<br>
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Ajay<br>