tnt@kalik.net wrote:
So the problem is in certificate:
[tls] <<< TLS 1.0 Handshake [length 038d], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
That means that you haven't imported self-signed ca certificate onto the client.
# openssl verify -CApath ca.pem client.pem client.pem: /C=FR/ST=Radius/O=Example Inc./CN=user@example.com/emailAddress=user@example.com error 20 at 0 depth lookup:unable to get local issuer certificate
I'm little bit confused, I created the client certificate using make client.
Which uses server certificate to sign client certificates.
Isn't possible that freeradius Makefile is buggy?
No. Try verify with server certificate (as it is done in Makefile).
# c_rehash . # openssl verify -CApath . client.pem client.pem: OK # openssl verify -CApath . server.pem server.pem: OK Also tried modify wpa_supplicant conf: - ca_cert="ca.pem" + ca_cert="server.pem" But with the same result. -- Tom Key fingerprint = 06C0 23C6 9EB7 0761 9807 65F4 7F6F 7EAB 496B 28AA