Possible certificatre problem
I followed the howto up til this: http://deployingradius.com/documents/configuration/ca_import.html Trying to connnect from a win 7, as described, via a hostapd based AP/NAS, I get this on the radiuserver. (61) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (61) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (61) eap_peap: ERROR: TLS_accept: Failed in unknown state (61) eap_peap: ERROR: SSL says: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (61) eap_peap: ERROR: SSL_read failed inside of TLS (-1), TLS session failed (61) eap_peap: ERROR: TLS receive handshake failed during operation (61) eap_peap: ERROR: [eaptls process] = fail (61) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (61) eap: Sending EAP Failure (code 4) ID 55 length 4 I can read what it says, but I dont understand why it say so, if the howto is to be trustet. -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner
On Jul 2, 2016, at 7:48 AM, Henrik Kressner <kressner@synkro.dk> wrote:
(61) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (61) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
That's an alert from the client. It doesn't recognize the CA which signed the server certificate. Alan DeKok.
On 02-07-2016 14:54, Alan DeKok wrote:
On Jul 2, 2016, at 7:48 AM, Henrik Kressner <kressner@synkro.dk> wrote:
(61) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (61) eap_peap: ERROR: TLS Alert read:fatal:unknown CA That's an alert from the client. It doesn't recognize the CA which signed the server certificate.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks. I can se that, but why does it do that ? -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner kressner@synkro.dk Ingeniørfirmaet Synkro / Synkro Engineering Vædevej 64 5462 Morud http://www.synkro.dk Direkte 40 37 40 87
On 02-07-2016 15:02, Alan DeKok wrote:
On Jul 2, 2016, at 8:59 AM, Henrik Kressner <kressner@synkro.dk> wrote:
I can se that, but why does it do that ? Because the CA which signed the server certificate is not trusted by the Windows machine.
So... add it to the Windows CA list, and trust it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks. By the windows machine, what do you mean ? Its unclear in the howto if the windows machine act as a AP/NAS og as af station on the WLAN. I have copyed ca.der to the AP/NAS (running on a RPI) and i have configured with this line in hostapd.conf file: ca_cert=/etc/hostapd/ca.der I get no errors when I start hostapd. -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner kressner@synkro.dk Ingeniørfirmaet Synkro / Synkro Engineering Vædevej 64 5462 Morud http://www.synkro.dk Direkte 40 37 40 87
On Jul 2, 2016, at 9:27 AM, Henrik Kressner <kressner@synkro.dk> wrote: By the windows machine, what do you mean ?
You said:
Trying to connnect from a win 7, as described, via a hostapd based AP/NAS,
I mean *that* windows machine. What other windows machine would there be?
Its unclear in the howto if the windows machine act as a AP/NAS og as af station on the WLAN.
From the earlier quote, you're clear that the Windows machine is trying to connect, and that you have a separate AP. Now, you claim that you're not sure wether or not the Windows machine is acting as an AP. It's not complicated. You're making it complicated. Why?
I have copyed ca.der to the AP/NAS (running on a RPI) and i have configured with this line in hostapd.conf file:
<sigh> You said you had a Windows machine. I said to copy the CA to the Windows machine. You copied the CA to the access point running hostap. Why are you making this difficult? Alan DeKok.
I hope not everyone on this list has the self-important know-it-all attitude that Alan DeKok is displaying. Having just signed up because not everything "just works" I find his snotty remarks to be disheartening. If you can't be of assistance without the attitude don't provide it at all. On Sat, Jul 2, 2016 at 8:59 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 2, 2016, at 9:27 AM, Henrik Kressner <kressner@synkro.dk> wrote: By the windows machine, what do you mean ?
You said:
Trying to connnect from a win 7, as described, via a hostapd based AP/NAS,
I mean *that* windows machine.
What other windows machine would there be?
Its unclear in the howto if the windows machine act as a AP/NAS og as af station on the WLAN.
From the earlier quote, you're clear that the Windows machine is trying to connect, and that you have a separate AP.
Now, you claim that you're not sure wether or not the Windows machine is acting as an AP.
It's not complicated. You're making it complicated.
Why?
I have copyed ca.der to the AP/NAS (running on a RPI) and i have configured with this line in hostapd.conf file:
<sigh>
You said you had a Windows machine. I said to copy the CA to the Windows machine. You copied the CA to the access point running hostap.
Why are you making this difficult?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *James Louis* *Lead Systems Engineer* 4400 Baker Road, Minnetonka, MN 55343<br> CELL 612.203.2631 TOLL FREE 888-346-3486 x 622 | FAX 952-908-6129 http://www.peoplenetonline.com PeopleNet is the leading provider of fleet mobility systems to the transportation industry, including truckload, LTL, private, and energy service fleets.
On Jul 2, 2016, at 10:07 AM, Jim Louis <jlouis@peoplenetonline.com> wrote:
I hope not everyone on this list has the self-important know-it-all attitude that Alan DeKok is displaying. Having just signed up because not everything "just works" I find his snotty remarks to be disheartening. If you can't be of assistance without the attitude don't provide it at all.
You clearly have missed the main point of my comments. While the server isn't perfect, it's pretty good. And the documentation is pretty good. And the help here is pretty good. There is a *clear* difference between people who are here to solve problems, and people who get upset when the response to their question is "you made a mistake, go fix it". If you can't stand people being told they're wrong, go elsewhere. If you keep complaining and arguing about this topic, you will be unsubscribed and permanently banned. This is your only warning. Alan DeKok.
On 07/02/2016 04:07 PM, Jim Louis wrote:
I hope not everyone on this list has the self-important know-it-all attitude that Alan DeKok is displaying. Having just signed up because not everything "just works" I find his snotty remarks to be disheartening. If you can't be of assistance without the attitude don't provide it at all.
People on this list are actually very helpful in solving problems, including Alan. It is true, that if someone is ignorant, doesn't read the debug log or the documentation, etc it it pointed out very directly. But people actually get help. So perhaps next time you subscribe to a new list, wait a few days before you form an opinion about others. Laszlo
On Sat, Jul 2, 2016 at 8:59 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 2, 2016, at 9:27 AM, Henrik Kressner <kressner@synkro.dk> wrote: By the windows machine, what do you mean ?
You said:
Trying to connnect from a win 7, as described, via a hostapd based AP/NAS,
I mean *that* windows machine.
What other windows machine would there be?
Its unclear in the howto if the windows machine act as a AP/NAS og as af station on the WLAN.
From the earlier quote, you're clear that the Windows machine is trying to connect, and that you have a separate AP.
Now, you claim that you're not sure wether or not the Windows machine is acting as an AP.
It's not complicated. You're making it complicated.
Why?
I have copyed ca.der to the AP/NAS (running on a RPI) and i have configured with this line in hostapd.conf file:
<sigh>
You said you had a Windows machine. I said to copy the CA to the Windows machine. You copied the CA to the access point running hostap.
Why are you making this difficult?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 2, 2016, at 10:07 AM, Jim Louis <jlouis@peoplenetonline.com> wrote:
I hope not everyone on this list has the self-important know-it-all attitude that Alan DeKok is displaying. Having just signed up because not everything "just works" I find his snotty remarks to be disheartening. If you can't be of assistance without the attitude don't provide it at all.
If you ask your question in a succinct and well thought out way that shows you've done at lease some research you may get responses from other developers and list users. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 02-07-2016 15:59, Alan DeKok wrote:
On Jul 2, 2016, at 9:27 AM, Henrik Kressner <kressner@synkro.dk> wrote: By the windows machine, what do you mean ? You said:
Trying to connnect from a win 7, as described, via a hostapd based AP/NAS, I mean *that* windows machine.
What other windows machine would there be?
Its unclear in the howto if the windows machine act as a AP/NAS og as af station on the WLAN. From the earlier quote, you're clear that the Windows machine is trying to connect, and that you have a separate AP.
Now, you claim that you're not sure wether or not the Windows machine is acting as an AP.
It's not complicated. You're making it complicated.
Why?
I have copyed ca.der to the AP/NAS (running on a RPI) and i have configured with this line in hostapd.conf file: <sigh>
You said you had a Windows machine. I said to copy the CA to the Windows machine. You copied the CA to the access point running hostap.
Why are you making this difficult?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for you comment, but now you are making assumtion. I did asume that the station was the one that needed a certificat, but it did not say so in the howto, so I had to ask. And by the way, the howto say it is NOT needed to make a client certificate, so I should not asume there is a client, even though make is trying to make af client certificate, and ends up with an error, if you dont configure it. And again, a client in radius enviroment MUST BE a NAS, so howto is not consistent. Mayby thats why so many peable ask so many silly quistions. I could be complaining about the bad documentation, theres no need for that, it's bad, the hole net knows it, so let us try to do something about it. I would happely help making documentation for freeradius, I am wery good at that, but before I can do that, i need to find out how it work. Anyway. To me it looks like there is a need for certificate at the station, this means that self signed certificat is not usable in a production enviroment. Therefore I will conclude you ned a comersially certificate, if using freeradius in af production enviroment. It would be nice if that was there somewhere in the documentation, so you know that before you start. Then a quistion: Will freeradius work with letsencrypt certificate, has anybody tryed? Please correct me if my conclution is wrong. -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner
On Jul 2, 2016, at 10:47 AM, Henrik Kressner <kressner@synkro.dk> wrote:
Thanks for you comment, but now you are making assumption.
I'm going by what you said. And what you said contradicts itself.
I did asume that the station was the one that needed a certificat, but it did not say so in the howto, so I had to ask.
The howto is correct. It tells you what you're supposed to do. If it doesn't say "put the certificate on the AP", then the certificate isn't on the AP. The howto has been up for about 15 years now. The *only* times that people have had problems with it are: 1) a few minor typos that were quickly fixed 2) when people don't follow the instructions.
And by the way, the howto say it is NOT needed to make a client certificate, so I should not asume there is a client, even though make is trying to make af client certificate, and ends up with an error, if you dont configure it.
And again, a client in radius enviroment MUST BE a NAS, so howto is not consistent.
The terminology is inconsistent, because the standards define the terms inconsistently. That's life.
I could be complaining about the bad documentation, theres no need for that, it's bad, the hole net knows it, so let us try to do something about it.
The problem is that you can't even follow the documentation which already exists.
To me it looks like there is a need for certificate at the station, this means that self signed certificat is not usable in a production environment.
No, and no. Both statements are wrong.
Therefore I will conclude you ned a comersially certificate, if using freeradius in af production environment.
No, that's wrong.
It would be nice if that was there somewhere in the documentation, so you know that before you start.
We don't mislead people in the documentation. So we don't add that.
Then a quistion: Will freeradius work with letsencrypt certificate, has anybody tried?
It's just a certificate.
Please correct me if my conclution is wrong.
I've been trying, believe me. And I'll note that you're (again) arguing here. And arguing about different topics. So I'll repeat myself: You need to put the CA on the Windows machine. Have you done that? a) yes - it will start working b ) no - you want to waste your time arguing instead of solving the problem. Alan DeKok.
On 02-07-2016 17:00, Alan DeKok wrote:
On Jul 2, 2016, at 10:47 AM, Henrik Kressner <kressner@synkro.dk> wrote:
Thanks for you comment, but now you are making assumption. I'm going by what you said. And what you said contradicts itself.
This is going nowhere. Allan, as I know it, you are the only devoloper in the freeradius project, and I dont trust you. That means I dont trust freeradius, so I just leave the list and find another product, if it should be Microsoft based, so be it. You are welcome to contact me if you "come down to earth" some day, but til then, have a nice day. -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner
On Jul 2, 2016, at 11:21 AM, Henrik Kressner <kressner@synkro.dk> wrote:
This is going nowhere.
The only reason it's going nowhere is because you're not following instructions. It's not that complicated.
Allan, as I know it, you are the only devoloper in the freeradius project, and I dont trust you.
I'm not the only developer. That's easy to find out. And why the heck would you decide you can't trust me? That's just crazy talk.
That means I dont trust freeradius, so I just leave the list and find another product, if it should be Microsoft based, so be it.
And for any of those other products, you'll have to follow the same steps to get them configured.
You are welcome to contact me if you "come down to earth" some day, but til then, have a nice day.
i.e. you're not going to follow instructions and solve the problem. Well... I was going to tell you start following instructions or you would be unsubscribed and banned. After doing this for 20 years, I *still* don't understand why some people are utterly incapable of following the simplest of instructions, and why they get so offended when told they're less than perfect. Competent people can separate their ego from solving problems. I'm not here saying "how DARE you question me". You are. So... good riddance. Alan DeKok.
On Jul 2, 2016, at 11:21 AM, Henrik Kressner <kressner@synkro.dk> wrote:
On 02-07-2016 17:00, Alan DeKok wrote:
On Jul 2, 2016, at 10:47 AM, Henrik Kressner <kressner@synkro.dk> wrote:
Thanks for you comment, but now you are making assumption. I'm going by what you said. And what you said contradicts itself.
This is going nowhere.
Allan, as I know it, you are the only devoloper in the freeradius project, and I dont trust you.
There are three core team members that have direct access to the git repository. I was ignoring your posts because they showed you hadn't done any background research, and i'd rather be writing code, to make FreeRADIUS better, than helping people who don't know how to import root CAs (under Windows‽), I mean really... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Sat, Jul 02, 2016 at 03:17:03PM -0400, Arran Cudbard-Bell wrote:
On Jul 2, 2016, at 11:21 AM, Henrik Kressner <kressner@synkro.dk> wrote:
Allan, as I know it, you are the only devoloper in the freeradius project, and I dont trust you.
There are three core team members that have direct access to the git repository.
And plenty of others who regularly do pull requests. In terms of the original question - Take the root certificate of the CA that you generated the radius server certificate from, and import it into the correct place in the Windows certificate store. By "correct place", I mean which ever of the trusted root CA locations works for you. (Which is pretty much what Alan said in the first reply.) Some of us like to try and have weekends every now and then, so don't respond to questions all the time :) Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
On 3/07/2016, at 07:17, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I was ignoring your posts because they showed you hadn't done any background research, and i'd rather be writing code, to make FreeRADIUS better, than helping people who don't know how to import root CAs (under Windows‽), I mean really…
I’ve got a general comment about this thread, and I think this particular comment is a good segue. Not picking on you, Arran, though your comment certainly got me thinking for a couple of hours today. Also, this post got a bit more ramble-y than I intended so apologies for it’s length. I’ll preface this by saying I have no problem with the FreeRADIUS list. There is (at least in my observation) an expectation on this list of a knowledge of the RADIUS protocol, and surrounding systems (importing Windows CA certs, for example). To me and to I imagine most others on this list, these sorts of things are pretty elementary, though of course there certainly are times when I read a post and go off and do a bit of research myself - this list has brought me a great many starting points for curious learning. It seems to me that the documentation has a similar expectation. I’m not sure, but I don’t think that that same expectation exists on mailing lists for other open source software. It’s not clear to me whether that’s because of a decision to expect that level of knowledge, or if maybe it just seems that way because RADIUS is somewhat specialised so there are a lower % of people with high skill RADIUS/associated system knowledge (if you’re a corporate network admin, RADIUS is maybe 1% of your job, so it’s not something you’d deal with every day so there are few people with “expert” or even “good” knowledge). The skill level expectation for participants in this list and readers of the documentation is, to me, perfectly fine. FreeRADIUS is an implementation and is used as part of a solution, so should not be held responsible for the whole solution. People often post on this list and it’s clear that they’ve been told to “implement RADIUS” having no idea where to start, when really what they should have been told is to implement a solution for which a RADIUS server is a component. I do wonder whether it would be beneficial to have a more general use mailing list, maybe for beginner to medium skill level folks, where there is more expectation that we’ll have to explain things that seem to come up from time to time like in this thread. We could use this to build the wiki up - or perhaps another wiki so the FR wiki doesn’t get littered with 3rd party system mess - and start pointing users towards that. I’d be happy to help with this, and lend advice to folks who are looking for it. I have zero experience with corporate stuff (Windows, EAP, etc.), but 13 or so years on and off experience using FR in service provider environments in all manner of weird deployments. There is what seems to be pretty good, though somewhat outdated, documents on EAP TLS here https://freeradius.org/doc/EAPTLS.pdf <https://freeradius.org/doc/EAPTLS.pdf>, and an updated guide to some of the bits on the front page of http://deployingradius.com <http://deployingradius.com/>. Perhaps we can look to provide documentation or guides that start at a more fundamental and whole-solution level, for example explaining what a CA certificate is for in this context, what a client certificate is for, some diagrams of how the various systems interact (i.e. step by step where/what messages are sent) etc. Perhaps vendor specific implementation details (I certainly have a number of learnings about what does/doesn’t work well), etc. Again, I don’t think this is the responsibility of the FreeRADIUS project team, but perhaps with the right forum the community could be better at this stuff so that the core team can focus on writing code. -- Nathan Ward
On Jul 3, 2016, at 10:21 AM, Nathan Ward <lists+freeradius@daork.net> wrote:
There is (at least in my observation) an expectation on this list of a knowledge of the RADIUS protocol, and surrounding systems (importing Windows CA certs, for example). To me and to I imagine most others on this list, these sorts of things are pretty elementary, though of course there certainly are times when I read a post and go off and do a bit of research myself - this list has brought me a great many starting points for curious learning.
To a certain extent. The idea is that people should either know, *or* be prepared to learn. The people who have endless problems are the ones who aren't prepared to learn. The people who complain about how we're being mean aren't prepared to learn. It's that simple. Look at the comments on this thread: A: Have you done X? B: I did Y A: No, really, have you done X? B: I didn't understand X, so I did Z. There is just no excuse for such behaviour.
It seems to me that the documentation has a similar expectation.
That's why I wrote: http://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf New people should read it. It assumes pretty much nothing, and explains almost everything about RADIUS and how the server works. It doesn't discuss EAP, but that documentation is being worked on.
I’m not sure, but I don’t think that that same expectation exists on mailing lists for other open source software. It’s not clear to me whether that’s because of a decision to expect that level of knowledge, or if maybe it just seems that way because RADIUS is somewhat specialised so there are a lower % of people with high skill RADIUS/associated system knowledge (if you’re a corporate network admin, RADIUS is maybe 1% of your job, so it’s not something you’d deal with every day so there are few people with “expert” or even “good” knowledge).
I'm on a number of other open source lists. I just don't see the same level of bad questions, or the same push-back against *doing* anything. It's just not that difficult. When you ask a question, and get told to do something.... *do it*. Don't argue. Don't fight. 99.99% of the time, I start by being polite, and giving people help. But after 4-5 rounds of someone arguing and refusing to learn, my attitude changes to: follow instructions, or go away.
The skill level expectation for participants in this list and readers of the documentation is, to me, perfectly fine. FreeRADIUS is an implementation and is used as part of a solution, so should not be held responsible for the whole solution. People often post on this list and it’s clear that they’ve been told to “implement RADIUS” having no idea where to start, when really what they should have been told is to implement a solution for which a RADIUS server is a component.
That's fine. I used to be a teacher. I have endless patience for people who make forward progress. I was a RADIUS newbie once, too. It's OK to not be an expert. It's *not* OK to ignore the existing documentation, to ignore the help on the list, and then to complain we're being mean when we say "read the documentation". Again, the comments on this thread showed a mind-boggling refusal to follow the simplest of instructions: A: Put the CA cert on the Windows machine. B: OK, I put it on the AP. By the way, the documentation sucks because it doesn't say to put the CA cert on the AP A: It's not *supposed* to be on the AP, put it on the Windows machine! B: <cries hysterically> Why are you so mean? I'm going to run away and hide. Why? Just... why? I don't see such behaviour on other open source lists. Probably because the software is a lot simpler. DHCP and DNS are trivial compared to RADIUS. Create a config file, start the server, it serves data. With RADIUS, you have to understand not only client / server, but RADIUS client/server versus EAP client/server, SQL databases, LDAP certificates, and so on. There is a *huge* amount of knowledge required in order to configure something properly.
I do wonder whether it would be beneficial to have a more general use mailing list, maybe for beginner to medium skill level folks, where there is more expectation that we’ll have to explain things that seem to come up from time to time like in this thread. We could use this to build the wiki up - or perhaps another wiki so the FR wiki doesn’t get littered with 3rd party system mess - and start pointing users towards that.
I don't think another list is the solution. Even more documentation isn't necessarily the solution. There is a lot of documentation already. The people who have problems are the people who can't find it, or if they do find it, don't read it.
I’d be happy to help with this, and lend advice to folks who are looking for it. I have zero experience with corporate stuff (Windows, EAP, etc.), but 13 or so years on and off experience using FR in service provider environments in all manner of weird deployments.
Please. Any kind of documentation is always appreciated.
There is what seems to be pretty good, though somewhat outdated, documents on EAP TLS here https://freeradius.org/doc/EAPTLS.pdf , and an updated guide to some of the bits on the front page of http://deployingradius.com.
That would be appreciated.
Perhaps we can look to provide documentation or guides that start at a more fundamental and whole-solution level, for example explaining what a CA certificate is for in this context, what a client certificate is for, some diagrams of how the various systems interact (i.e. step by step where/what messages are sent) etc. Perhaps vendor specific implementation details (I certainly have a number of learnings about what does/doesn’t work well), etc.
That would be good.
Again, I don’t think this is the responsibility of the FreeRADIUS project team, but perhaps with the right forum the community could be better at this stuff so that the core team can focus on writing code.
We're already working on re-doing the web site, so the things *should* be easier to find. It will all be in github, and people will be able to submit pull requests. To start, even a few pages on the Wiki explaining EAP / certificates would be useful. We can then put links to that in the configuration files, so (hopefully) people will read them. Maybe even a big warning on the main web page saying "Here's a list of 20 technologies you may need to understand to use RADIUS. It's NOT just DHCP / DNS / web server. It's a LOT more complicated than that. Read, learn, and you can get it to do what you want". That will help. But there will always be the subset of people who just can't be bothered to read the documentation, even when pointed to it. Alan DeKok.
Hi,
And again, a client in radius enviroment MUST BE a NAS, so howto is not consistent.
there are 2 types a wireless or endpoint client (your typical OSX or Windows or IOS device....) and the RADIUS client - the Access Point or switch that the endpoint clients use to get their network access.
To me it looks like there is a need for certificate at the station, this means that self signed certificat is not usable in a production enviroment.
not true - we use local (self-signed) CA - its all about how you provision your clients (deployment tools help).
Therefore I will conclude you ned a comersially certificate, if using freeradius in af production enviroment. It would be nice if that was there somewhere in the documentation, so you know that before you start.
the document shouldnt say that as its not tru - especially as using a commercial certificate leaves you open to security issues (spoofing of your server against clients that cant check the CN)
Then a quistion: Will freeradius work with letsencrypt certificate, has anybody tryed?
...havent tested - if the LE cert doesnt have the right attributes that clients want (x509 extensions, SAN etc) then no alan
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Henrik Kressner -
Jim Louis -
Matthew Newton -
Nathan Ward -
Tornoci Laszlo