Sergio escribió:
HI, continuing with Reveal MAP problem with unknown ca's under eap-tls using default configuration....
private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate --> verify error:num=24:invalid CA certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA
well, it isn't a problem:
cp server.pem root.pem cat ca.pem >> root.pem then I change CA_file = ${cadir}/root.pem
......and.....eureka!!!! authentication succesfully ....but
now there is a problem to check the CRL because root.pem then, something is wrong before making root.pem.
....well, just tell freeradius how to find certificates....
c_rehash /usr/local/etc/raddb/certs also doesn't works I think Reveal had the same problem and I have read about this on mailing list but nothing.
Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has somebody encountered problems with this apart from Reveal MAP and me?
P.D. route certification into windows isn't a problem, only tell xp_supplicant who is root authority (It was logical)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also me, sergio restarting: private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509 -hash -noout -in server.pem).0 portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash -noout -in ca.pem).0 portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw lrwxrwxrwx 1 root root 6 2008-07-23 02:47 16593b28.0 -> ca.pem lrwxrwxrwx 1 root root 10 2008-07-23 02:49 7d18a7eb.0 -> server.pem portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem server.pem: OK portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt client.crt: OK and then, the user is rejected. The other configuration files are ok, also wpa_supplicant. look at this Reveal, be brave jejeje. am I forgetting something? I have two other eap modules working ok with a diferent authority than the server's and I'm really intrigue about this. somebody joins? jeje regards :)