Problem Using GoDaddy Wildcard Certificate
Hello All, I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far: Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked. On Win 7, with "Validate ..." checked, I receive the following error: [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. The GoDaddy certs appear to have the necessary "XP Extensions". The following is reported under "Enhanced Key Usage" when I view the cert in Windows: Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) Likewise, openssl reports: $ openssl x509 -in server.crt -text -noout | grep "Web Server" TLS Web Server Authentication, TLS Web Client Authentication The certification path for my cert is: My Cert > GoDaddy Secure Certification Authority > Go Daddy Class 2 Certification Authority I added my certificate to the beginning of the chain file provided by GoDaddy (used cat to ensure no errors) and pointed certificate_file to this. I then selected the "Go Daddy Class 2 Certification Authority" under the network profile. When this did not work, I imported the chain file into my Trusted Root CAs and selected "GoDaddy Secure Certification Authority" in the wifi profile. This also did not work. Lastly, I cleaned up my certificate store, split apart the chain file into separate files, imported "GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected the same in the wifi profile, and pointed certificate_file to my cert ONLY. Does anyone see a reason this should not work? Ideas on what to try next? Thank you.
Thomas Simmons wrote:
On Win 7, with "Validate ..." checked, I receive the following error:
[peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied
The Windows box is refusing to accept the servers certificate.
The GoDaddy certs appear to have the necessary "XP Extensions". The following is reported under "Enhanced Key Usage" when I view the cert in Windows: Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2)
OK.
I added my certificate to the beginning of the chain file provided by GoDaddy (used cat to ensure no errors) and pointed certificate_file to this. I then selected the "Go Daddy Class 2 Certification Authority" under the network profile. When this did not work, I imported the chain file into my Trusted Root CAs and selected "GoDaddy Secure Certification Authority" in the wifi profile. This also did not work. Lastly, I cleaned up my certificate store, split apart the chain file into separate files, imported "GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected the same in the wifi profile, and pointed certificate_file to my cert ONLY. Does anyone see a reason this should not work? Ideas on what to try next? Thank you.
Ask Microsoft why their software doesn't work. It sounds like you followed all of the right steps. Maybe you missed something minor (and critical). It's hard to say. There's a lot of magic in SSL. Alan DeKok.
When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows. Thomas Simmons <twsnnva@gmail.com> wrote:
Hello All,
I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far:
Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked.
-- Sent from my mobile device, please excuse brevity and typos.
On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows.
Hello Phil,
Initially, I unchecked "Connect to these servers" and left this field empty - this is what I did with the self-signed cert that worked. I also tried *. mydomain.com (the CN) and domain.com. I can purchase a standard cert to verify this is the problem.
Thomas Simmons <twsnnva@gmail.com> wrote:
Hello All,
I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far:
Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked.
-- Sent from my mobile device, please excuse brevity and typos.
Thomas, Most wildcard certificates that I have encountered do NOT include the domain, only subdomains. In other words "something.mydomain.com" would work but not simply "domain.com". I know you tried the actual CN, but perhaps some component is having an issue with the asterisk. If you wanted to make another test, you could try using a server name which is similar to something.mydomain.com. Jim L. On Mar 3, 2013, at 7:41 AM, Thomas Simmons <twsnnva@gmail.com> wrote:
On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote: When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows.
Hello Phil,
Initially, I unchecked "Connect to these servers" and left this field empty - this is what I did with the self-signed cert that worked. I also tried *.mydomain.com (the CN) and domain.com. I can purchase a standard cert to verify this is the problem.
Thomas Simmons <twsnnva@gmail.com> wrote:
Hello All,
I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far:
Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked.
-- Sent from my mobile device, please excuse brevity and typos.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, Mar 3, 2013 at 9:09 AM, JDL <JDL@imaginenet.net> wrote:
Thomas,
Most wildcard certificates that I have encountered do NOT include the domain, only subdomains. In other words "something.mydomain.com" would work but not simply "domain.com". I know you tried the actual CN, but perhaps some component is having an issue with the asterisk. If you wanted to make another test, you could try using a server name which is similar to something.mydomain.com.
Jim L.
Hello Jim,
I tested using foo.mydomain.com, which resulted in the same error. I'm fairly certain Phil is correct that wildcard certs do not work for this purpose under Windows.
On Mar 3, 2013, at 7:41 AM, Thomas Simmons <twsnnva@gmail.com> wrote:
On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows.
Hello Phil,
Initially, I unchecked "Connect to these servers" and left this field empty - this is what I did with the self-signed cert that worked. I also tried *.mydomain.com (the CN) and domain.com. I can purchase a standard cert to verify this is the problem.
Thomas Simmons <twsnnva@gmail.com> wrote:
Hello All,
I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far:
Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked.
-- Sent from my mobile device, please excuse brevity and typos.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Try with a private ca first, it'll save cash Thomas Simmons <twsnnva@gmail.com> wrote:
On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows.
Hello Phil,
Initially, I unchecked "Connect to these servers" and left this field empty - this is what I did with the self-signed cert that worked. I also tried *. mydomain.com (the CN) and domain.com. I can purchase a standard cert to verify this is the problem.
Thomas Simmons <twsnnva@gmail.com> wrote:
Hello All,
I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far:
Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked.
-- Sent from my mobile device, please excuse brevity and typos.
-- Sent from my mobile device, please excuse brevity and typos.
On Sun, Mar 3, 2013 at 10:03 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
Try with a private ca first, it'll save cash
I tested using a standard TLD domain cert that I have on-hand Of course, it works as expected. It appears you are indeed correct - wildcard certs do not work for this purpose under Windows. Thank you all for the help.
Thomas Simmons <twsnnva@gmail.com> wrote:
On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows.
Hello Phil,
Initially, I unchecked "Connect to these servers" and left this field empty - this is what I did with the self-signed cert that worked. I also tried *.mydomain.com (the CN) and domain.com. I can purchase a standard cert to verify this is the problem.
Thomas Simmons <twsnnva@gmail.com> wrote:
Hello All,
I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far:
Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked.
-- Sent from my mobile device, please excuse brevity and typos.
-- Sent from my mobile device, please excuse brevity and typos.
Hi Thomas, Thomas Simmons wrote on 03.03.2013 03:28:
The certification path for my cert is: My Cert > GoDaddy Secure Certification Authority > Go Daddy Class 2 Certification Authority
I added my certificate to the beginning of the chain file provided by GoDaddy (used cat to ensure no errors) and pointed certificate_file to this. I then selected the "Go Daddy Class 2 Certification Authority" under the network profile. When this did not work, I imported the chain file into my Trusted Root CAs and selected "GoDaddy Secure Certification Authority" in the wifi profile. This also did not work. Lastly, I cleaned up my certificate store, split apart the chain file into separate files, imported "GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected the same in the wifi profile, and pointed certificate_file to my cert ONLY. Does anyone see a reason this should not work?
newer Windows versions do a fair bit of automagic when they have to deal with certificates, ie. o they do /not/ carry /a complete list of all/ Root-CA certificates that the system will eventually trust, instead they automatically download specific "pre-trusted" Root-CA certificates from some trusted Microsoft update server, once the user - doing a bit of internet browsing - encounters a server certificate that will eventually be validating its trust path to that Root-CA certificate /for the first time/. o they use the AIA (Authority Information Access) extension in the certificates (if present) to automatically download missing intermediate CA certificates from the URLs specified in the said certificates to auto-complete trustpaths. o they use the CDP (CRL distribution point) extension in the certificates (if present) to automatically download CRLs from the URLs specified in the said certificates. o they use the AIA (Authority Information Access) extension in the certificates (if present) to automatically ask an OCSP-responder for an up-to-date status of the said certificates. o they cache/store those downloaded bits of information My guess is that your Windows system run into some hen-egg-problem trying to download these things from the internet while not having a full internet connection.
Ideas on what to try next?
If you have that same wildcard certificate running on an SSL-web-server, get your Windows system connected to the Internet and browse to the HTTPS address of that web server *with IE*. Since the system has full Internet access it should download and store/cache all bits it is needing to successfully validate your wildcard certificate. You can check the Windows CRL and OCSP cache using C:\> certutil -URLCache CRL C:\> certutil -URLCache OCSP Then disconnect the system and try re-connecting it using the supplicant with eap-tls authentication. The system should hopefully use the validation info it collected when it was online before since it is then encountering the same wildcard certificate as before and accept your RADIUS-server certificate. This would at least proof my theory. I'm not sure if knowing why it is broken will still help you to use your wildcard cert...at least for freshly set-up Windows systems which were never connected to the Internet or which never have seen your wildcard certificate before when connected to the Internet it will be difficult. Just my 2 cents. Best Regards Reimer p.s. You can clear the Windows CRL and OCSP caches using C:\> certutil -URLCache CRL delete C:\> certutil -URLCache OCSP delete -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team) DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
participants (5)
-
Alan DeKok -
JDL -
Phil Mayers -
Reimer Karlsen-Masur, DFN-CERT -
Thomas Simmons