(pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
Hello, This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1). What has worked fine and suddenly stops working is EAP-TLS, with my Huawei Honor8 Pro Android 7.0 smartphone. Small background: my main pfSense box broke down, so I took my backup pfSense box, reinstalled pfSense, *created new CA certificate, Server certificate and User certificate*, connected my smartphone with USB cable to my PC, copied the CA cert and the User cert to the smartphone, installed them using the normal Android setting for that ('install certificates from SD card'), configured the Wireless Connection in Android, in FreeRadius told it to of course use the CA certificate and the Server certificate, customized the other settings, and. for 6 hours now I'm trying to get something to work that does not want to work. But worked yesterday --- and the years before it. Now, EAP-TLS doesn't work. If I try a simple username and password: that works. It's simply the certificates that doesn't work. Those are the errors: Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert read:fatal:certificate unknown Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read) Just to make sure: the certificate manager in pfSense generates all three certificates *and stores them*, and the FreeRadius package within the same pfSense uses two of these three certificates (once you tell you point the package to the right certificates you generate, which I did). Meaning: it's all integrated. This first error: to who is the certificate unknown? To the smartphone? I've imported it 50.000 times again, and again, and again (really). I hope somebody can help me, because it all worked for years, and I have no clue anymore what to do, after all these long hours L Thank you, Bye, PS I attached the debug log.
looks like your client (the smartphone) is presenting the wrong cert to the server alan
Hi, had a similar error recently with Android 7.x + FreeRadius 3.x the problem was the CA and the Cert FreeRadius presented to the world. The problem was fixed by merging the CA and the Certificate into one file that FreeRadius provides the complete chain. On the Android side importing the CA and 2 certs, one for WiFi, one for testing the cert chain with the corresponding options did the job. --- Sent from my iP... nah, sent from my coffee machine On Wed, 27 Dec 2017, noob wrote:
Hello,
This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
What has worked fine and suddenly stops working is EAP-TLS, with my Huawei Honor8 Pro Android 7.0 smartphone.
Small background: my main pfSense box broke down, so I took my backup pfSense box, reinstalled pfSense, *created new CA certificate, Server certificate and User certificate*, connected my smartphone with USB cable to my PC, copied the CA cert and the User cert to the smartphone, installed them using the normal Android setting for that ('install certificates from SD card'), configured the Wireless Connection in Android, in FreeRadius told it to of course use the CA certificate and the Server certificate, customized the other settings, and. for 6 hours now I'm trying to get something to work that does not want to work. But worked yesterday --- and the years before it. Now, EAP-TLS doesn't work. If I try a simple username and password: that works. It's simply the certificates that doesn't work.
Those are the errors:
Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert read:fatal:certificate unknown
Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
Just to make sure: the certificate manager in pfSense generates all three certificates *and stores them*, and the FreeRadius package within the same pfSense uses two of these three certificates (once you tell you point the package to the right certificates you generate, which I did). Meaning: it's all integrated.
This first error: to who is the certificate unknown? To the smartphone? I've imported it 50.000 times again, and again, and again (really).
I hope somebody can help me, because it all worked for years, and I have no clue anymore what to do, after all these long hours L
Thank you,
Bye,
PS I attached the debug log.
Hi,
Thank you.
That sounds very complex for a noob like me. How would one do that, "merging the CA and the cert into one file"?
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-
> bounces+reclamezooi=dorfox.com@lists.freeradius.org] On Behalf Of Tommy
> Scheunemann
> Sent: woensdag 27 december 2017 11:33
> To: FreeRadius users mailing list
> Subject: Re: (pfSense + Android): eap_tls: ERROR: TLS Alert
> read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3
> read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
>
> Hi,
>
> had a similar error recently with Android 7.x + FreeRadius 3.x the problem was
> the CA and the Cert FreeRadius presented to the world.
> The problem was fixed by merging the CA and the Certificate into one file that
> FreeRadius provides the complete chain.
> On the Android side importing the CA and 2 certs, one for WiFi, one for testing
> the cert chain with the corresponding options did the job.
>
> ---
> Sent from my iP... nah, sent from my coffee machine
>
> On Wed, 27 Dec 2017, noob wrote:
>
> > Hello,
> >
> >
> >
> > This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
> >
> >
> >
> > What has worked fine and suddenly stops working is EAP-TLS, with my
> > Huawei
> > Honor8 Pro Android 7.0 smartphone.
> >
> >
> >
> > Small background: my main pfSense box broke down, so I took my backup
> > pfSense box, reinstalled pfSense, *created new CA certificate, Server
> > certificate and User certificate*, connected my smartphone with USB
> > cable to my PC, copied the CA cert and the User cert to the
> > smartphone, installed them using the normal Android setting for that
> > ('install certificates from SD card'), configured the Wireless
> > Connection in Android, in FreeRadius told it to of course use the CA
> > certificate and the Server certificate, customized the other settings,
> > and. for 6 hours now I'm trying to get something to work that does not
> > want to work. But worked yesterday --- and the years before it. Now,
> > EAP-TLS doesn't work. If I try a simple username and password: that works.
> It's simply the certificates that doesn't work.
> >
> >
> >
> > Those are the errors:
> >
> >
> >
> > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
> > read:fatal:certificate unknown
> >
> > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept:
> > Failed in
> > SSLv3 read client certificate A
> >
> > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in
> > __FUNCTION__
> > (SSL_read)
> >
> >
> >
> > Just to make sure: the certificate manager in pfSense generates all
> > three certificates *and stores them*, and the FreeRadius package
> > within the same pfSense uses two of these three certificates (once you
> > tell you point the package to the right certificates you generate,
> > which I did). Meaning: it's all integrated.
> >
> >
> >
> > This first error: to who is the certificate unknown? To the
> > smartphone? I've imported it 50.000 times again, and again, and again
> (really).
> >
> >
> >
> > I hope somebody can help me, because it all worked for years, and I
> > have no clue anymore what to do, after all these long hours L
> >
> >
> >
> > Thank you,
> >
> >
> >
> > Bye,
> >
> >
> >
> > PS I attached the debug log.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
a simple:
cat your_server_cert.crt your_root.ca > server.crt
should do it so the full chain of your root + your server certificate is
provided.
For the client side exporting the client cert, client private key and your
CA into a PKCS12, then importing it on your Android device should do it.
---
Sent from my iP... nah, sent from my coffee machine
On Wed, 27 Dec 2017, noob wrote:
> Hi,
>
> Thank you.
>
> That sounds very complex for a noob like me. How would one do that, "merging the CA and the cert into one file"?
>
>
>
>> -----Original Message-----
>> From: Freeradius-Users [mailto:freeradius-users-
>> bounces+reclamezooi=dorfox.com@lists.freeradius.org] On Behalf Of Tommy
>> Scheunemann
>> Sent: woensdag 27 december 2017 11:33
>> To: FreeRadius users mailing list
>> Subject: Re: (pfSense + Android): eap_tls: ERROR: TLS Alert
>> read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3
>> read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
>>
>> Hi,
>>
>> had a similar error recently with Android 7.x + FreeRadius 3.x the problem was
>> the CA and the Cert FreeRadius presented to the world.
>> The problem was fixed by merging the CA and the Certificate into one file that
>> FreeRadius provides the complete chain.
>> On the Android side importing the CA and 2 certs, one for WiFi, one for testing
>> the cert chain with the corresponding options did the job.
>>
>> ---
>> Sent from my iP... nah, sent from my coffee machine
>>
>> On Wed, 27 Dec 2017, noob wrote:
>>
>>> Hello,
>>>
>>>
>>>
>>> This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
>>>
>>>
>>>
>>> What has worked fine and suddenly stops working is EAP-TLS, with my
>>> Huawei
>>> Honor8 Pro Android 7.0 smartphone.
>>>
>>>
>>>
>>> Small background: my main pfSense box broke down, so I took my backup
>>> pfSense box, reinstalled pfSense, *created new CA certificate, Server
>>> certificate and User certificate*, connected my smartphone with USB
>>> cable to my PC, copied the CA cert and the User cert to the
>>> smartphone, installed them using the normal Android setting for that
>>> ('install certificates from SD card'), configured the Wireless
>>> Connection in Android, in FreeRadius told it to of course use the CA
>>> certificate and the Server certificate, customized the other settings,
>>> and. for 6 hours now I'm trying to get something to work that does not
>>> want to work. But worked yesterday --- and the years before it. Now,
>>> EAP-TLS doesn't work. If I try a simple username and password: that works.
>> It's simply the certificates that doesn't work.
>>>
>>>
>>>
>>> Those are the errors:
>>>
>>>
>>>
>>> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
>>> read:fatal:certificate unknown
>>>
>>> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept:
>>> Failed in
>>> SSLv3 read client certificate A
>>>
>>> Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in
>>> __FUNCTION__
>>> (SSL_read)
>>>
>>>
>>>
>>> Just to make sure: the certificate manager in pfSense generates all
>>> three certificates *and stores them*, and the FreeRadius package
>>> within the same pfSense uses two of these three certificates (once you
>>> tell you point the package to the right certificates you generate,
>>> which I did). Meaning: it's all integrated.
>>>
>>>
>>>
>>> This first error: to who is the certificate unknown? To the
>>> smartphone? I've imported it 50.000 times again, and again, and again
>> (really).
>>>
>>>
>>>
>>> I hope somebody can help me, because it all worked for years, and I
>>> have no clue anymore what to do, after all these long hours L
>>>
>>>
>>>
>>> Thank you,
>>>
>>>
>>>
>>> Bye,
>>>
>>>
>>>
>>> PS I attached the debug log.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
noob -
Tommy Scheunemann