The CA.all and CA.certs scripts seem to not be included in the Freeradius 2.x tarball anymore. Have they just been forgotten, or have they been replaced by other scripts, or are there other recommended ways of handling/generating certs in 2.x? -- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions. Ivan Kalik Kalik Informatika ISP Dana 7/10/2008, "Vegard Svanberg" <vegard@svanberg.no> piše:
The CA.all and CA.certs scripts seem to not be included in the Freeradius 2.x tarball anymore. Have they just been forgotten, or have they been replaced by other scripts, or are there other recommended ways of handling/generating certs in 2.x?
-- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
* tnt@kalik.net <tnt@kalik.net> [2008-10-07 12:13]:
Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions.
Seems the file got lost during the transition from 1.x. Thanks! -- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
* Vegard Svanberg <vegard@svanberg.no> [2008-10-07 12:16]:
Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions.
Seems the file got lost during the transition from 1.x. Thanks!
Hm, something is not working right, but I'm not sure where. Created (ca, server, client) certificates per the instructions in the README file. Enabled EAP-TLS in eap.conf and verified that paths etc are correct. Then created the client certificate and imported it on the client. -X gives me this before it fails: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1497 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0393], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> testuser2 Also, openssl can't verify the generated client certificate: $ openssl verify -CAfile ca.pem client.pem client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/emailAddress=test@email error 20 at 0 depth lookup:unable to get local issuer certificate Oh BTW, there is a small error in the README, on line 132 it reads:
The users certificate will be in "commonName.pem", i.e. "user@example.com.pem".
This is wrong; the Makefile is using emailAddress. -- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
Try with ca-server bundle: cat ca.pem server.pem > cabundle.pem Use that as CAfile and export (appropriate version) to the clients. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, "Vegard Svanberg" <vegard@svanberg.no> piše:
* Vegard Svanberg <vegard@svanberg.no> [2008-10-07 12:16]:
Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions.
Seems the file got lost during the transition from 1.x. Thanks!
Hm, something is not working right, but I'm not sure where. Created (ca, server, client) certificates per the instructions in the README file. Enabled EAP-TLS in eap.conf and verified that paths etc are correct. Then created the client certificate and imported it on the client. -X gives me this before it fails:
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1497 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0393], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> testuser2
Also, openssl can't verify the generated client certificate:
$ openssl verify -CAfile ca.pem client.pem client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/emailAddress=test@email error 20 at 0 depth lookup:unable to get local issuer certificate
Oh BTW, there is a small error in the README, on line 132 it reads:
The users certificate will be in "commonName.pem", i.e. "user@example.com.pem".
This is wrong; the Makefile is using emailAddress.
-- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
* tnt@kalik.net <tnt@kalik.net> [2008-10-08 15:03]:
Try with ca-server bundle:
cat ca.pem server.pem > cabundle.pem
Use that as CAfile and export (appropriate version) to the clients.
Worked great, thanks! Perhaps the Makefile should be updated? -- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
That's just the ad-hoc solution for the error you reported (error 20 - incomplete chain). It might not be the best way of doing things. I don't use certificates that much. Others might know a better way of sorting this out. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, "Vegard Svanberg" <vegard@svanberg.no> piše:
* tnt@kalik.net <tnt@kalik.net> [2008-10-08 15:03]:
Try with ca-server bundle:
cat ca.pem server.pem > cabundle.pem
Use that as CAfile and export (appropriate version) to the clients.
Worked great, thanks!
Perhaps the Makefile should be updated?
-- Vegard Svanberg <vegard@svanberg.no> [*Takapa@IRC (EFnet)]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
tnt@kalik.net -
Vegard Svanberg