problem with CA certificate using mschapv2
Hi Im checking my configuration using freeradius 2.2.5 and I detect this error TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. Looking radiusd.conf all seems to be correct, but Im using TERENA CA and Im not sure which CA is the correct. Somebody knows how to concret the error? Is not reading CA? CA is not valid? Thanks -- For private content :-) Public key 0x0C05942A895BD10E FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E
On Wed, Jan 21, 2015 at 11:10:23AM +0100, marcos wrote:
TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The client has got a problem with the CA.
Looking radiusd.conf all seems to be correct, but Im using TERENA CA and Im not sure which CA is the correct. Somebody knows how to concret the error? Is not reading CA? CA is not valid?
Is the CA cert (and all intermediate certs) installed on the client? If the intermediate certs are not installed on the client, are you sending them (in the right order) from the server? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi For private content :-) Public key 0x0C05942A895BD10E FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E El 21/01/15 a las 12:26, Matthew Newton escribió:
On Wed, Jan 21, 2015 at 11:10:23AM +0100, marcos wrote:
TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. The client has got a problem with the CA.
Looking radiusd.conf all seems to be correct, but Im using TERENA CA and Im not sure which CA is the correct. Somebody knows how to concret the error? Is not reading CA? CA is not valid? Is the CA cert (and all intermediate certs) installed on the client? Yes, I was installing. The problem is that I don't know how to prepare the CA certificate for the server part. Im using TERENA: If the intermediate certs are not installed on the client, are you sending them (in the right order) from the server? Justly is the point where I don't know how to do. Only I discovered how to add the CA, but no the Intermediate certificates. I need to prepare a certificate joining all or I can mark different?
Thanks
Matthew
On Wed, Jan 21, 2015 at 12:38:31PM +0100, marcos wrote:
Yes, I was installing. The problem is that I don't know how to prepare the CA certificate for the server part. Im using TERENA:
If the intermediate certs are not installed on the client, are you sending them (in the right order) from the server? Justly is the point where I don't know how to do. Only I discovered how to add the CA, but no the Intermediate certificates. I need to prepare a certificate joining all or I can mark different?
Try: Root CA cert installed on the client device. .pem certificate file on FreeRADIUS containing (in this order): RADIUS server certificate Intermediate certifiate The root CA should not be necessary here to send to the client, as it already has it and can check the chain it was sent from the server. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Thanks, last information discovered is that CA certificate needs to have the intermediate CA included, but there is no instructions about how to do that. In Freeradius you need to create a ca-bundle file how apache? Thanks For private content :-) Public key 0x0C05942A895BD10E FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E El 21/01/15 a las 13:11, Matthew Newton escribió:
On Wed, Jan 21, 2015 at 12:38:31PM +0100, marcos wrote:
Yes, I was installing. The problem is that I don't know how to prepare the CA certificate for the server part. Im using TERENA:
If the intermediate certs are not installed on the client, are you sending them (in the right order) from the server? Justly is the point where I don't know how to do. Only I discovered how to add the CA, but no the Intermediate certificates. I need to prepare a certificate joining all or I can mark different? Try:
Root CA cert installed on the client device.
.pem certificate file on FreeRADIUS containing (in this order):
RADIUS server certificate Intermediate certifiate
The root CA should not be necessary here to send to the client, as it already has it and can check the chain it was sent from the server.
Matthew
On Wed, Jan 21, 2015 at 02:03:35PM +0100, marcos wrote:
Thanks, last information discovered is that CA certificate needs to have the intermediate CA included, but there is no instructions about how to do that. In Freeradius you need to create a ca-bundle file how apache?
As I said in the last message - just cat the .pem files together in the right order. e.g. it will look something like: -----BEGIN CERTIFICATE----- MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK ... Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK ... Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK ... Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ== -----END CERTIFICATE----- Matthew
.pem certificate file on FreeRADIUS containing (in this order):
RADIUS server certificate Intermediate certifiate
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Thank, Im receiving new messages from clients but now seems that are connecting! I see three certificates, how many I need to do the connection? Thanks For private content :-) Public key 0x0C05942A895BD10E FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E El 21/01/15 a las 15:27, Matthew Newton escribió:
On Wed, Jan 21, 2015 at 02:03:35PM +0100, marcos wrote:
Thanks, last information discovered is that CA certificate needs to have the intermediate CA included, but there is no instructions about how to do that. In Freeradius you need to create a ca-bundle file how apache? As I said in the last message - just cat the .pem files together in the right order.
e.g. it will look something like:
-----BEGIN CERTIFICATE----- MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK ... Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK ... Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK ... Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ== -----END CERTIFICATE-----
Matthew
.pem certificate file on FreeRADIUS containing (in this order):
RADIUS server certificate Intermediate certifiate
On Jan 21, 2015, at 11:32 AM, marcos <deconya@riseup.net> wrote:
Thank, Im receiving new messages from clients but now seems that are connecting!
That’s good.
I see three certificates, how many I need to do the connection?
As many as you configured it to need. There’s nothing magic here. YOU configured a particular chain of certificates. A CA, client cert, etc. So YOU told it to require those certificates. So if you see three certificates, it’s because they are all needed. Alan DeKok.
On Wed, Jan 21, 2015 at 05:32:17PM +0100, marcos wrote:
I see three certificates
The last time I saw, TERENA had two intermediate certificates, so three on the server (two intermediates plus the server cert) sounds right. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Le 21/01/2015 11:10, marcos a écrit :
Looking radiusd.conf all seems to be correct, but Im using TERENA CA and Im not sure which CA is the correct. Somebody knows how to concret the error? Is not reading CA? CA is not valid?
We also use in our community in France Terena certificates. We use for CA 'Addtrust External CA Root'. It works without problems. Alain -- Administrateur Système/Réseau Laboratoire de Photonique et Nanostructures (LPN/CNRS - UPR20) Centre de Recherche Alcatel Data IV - Marcoussis route de Nozay - 91460 Marcoussis Tel : 01-69-63-61-34
participants (4)
-
Alain Péan -
Alan DeKok -
marcos -
Matthew Newton