Wild Card GoDaddy cert
Hi, I have a wildcard cert from godaddy.com. I have tested the cert on Microsoft NPS & IAS and it works fine. I'm sure it will work in freeradius too, however I can't figure it out. I have godaddy.crt bundl.e.crt & godaddy.key. I have added these to freeradius however it does work. This is what windows does when I don't validate certificates [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server Cerebus This is a successfull auth on my linux client [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/godaddy.key certificate_file = ${certdir}/godaddy.crt dh_file = ${certdir}/dh random_file = ${certdir}/random } So Im not sure if its got to do with no using the cert chain or what I'm doing wrong but would appreciate any guidance
Ryan De Kock wrote:
I have a wildcard cert from godaddy.com.
I have tested the cert on Microsoft NPS & IAS and it works fine.
The issue isn't the server. It's the client.
I'm sure it will work in freeradius too, however I can't figure it out.
I have godaddy.crt bundl.e.crt & godaddy.key.
I have added these to freeradius however it does work.
This is what windows does when I don't validate certificates
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied
That is the client saying it didn't like the certificate from the server.
So Im not sure if its got to do with no using the cert chain or what I'm doing wrong but would appreciate any guidance
You need to include ALL of the certs in the chain. This includes the godaddy CA cert. Try "openssl verify" on the godaddy certificate. If it gives errors, that's the problem. Alan DeKok.
Ryan, Wildcard server certificates are not supported by EAPHost in Windows. You need to use a different certificate. http://technet.microsoft.com/en-gb/cc730460.aspx Regards, Nick
participants (3)
-
Alan DeKok -
Nick Lowe -
Ryan De Kock