(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Michel Verhagen mike at guruce.com
Thu Apr 15 07:08:42 CEST 2021

Thanks Alan,

> I'd grab the v3.0.x branch from GitHub.  I've gone through the TLS messages, and cleaned them up a LOT.
I'm running freeradius3 on a freebsd RPI2. "pkg info freeradius3" shows:

Name           : freeradius3
Version        : 3.0.21_1
Installed on   : Fri Nov  1 18:36:16 2019 NZDT
Origin         : net/freeradius3

Do I need a later version, and if yes; how do I get that? I'm a n00b 
when it comes to freebsd...

> How did you create the certs?  FreeRADIUS has scripts in raddb/scripts which work.  Doing it yourself might work, or might not.
By following the instructions in raddb/certs/README. Here's what I did 

Open an SSH terminal to the server. Login with un/pw freebsd/freebsd, 
then switch to root using “su root”.

In the SSH terminal, execute:

    cd /usr/share/zoneinfo
    ls -l

Now change folder into the time zone grouping folder, eg “CET”, 
“Pacific”, etc.:

    cd Pacific ls -l

Pick the correct time zone for your location from the list (in this 
example Pacific/Auckland), and execute:

    cp /usr/share/zoneinfo/Pacific/Auckland /etc/localtime

Now set the date and time (in this example we set 16 Feb 2021, 15:00, 
format is yymmddHHmm):

    date 2102161500

Execute “date” without any parameters to check if the time zone, date 
and time is set correctly:

    Tue Feb 16 15:00:24 NZDT 2021

Now we can (re)generate the certificates by executing the following 

    cd /usr/local/etc/raddb/certs
    mkdir bak
    cp -ipv * bak
    rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

The above commands first copy the existing certificate files to a folder 
“bak” under the certs folder, so that we can always go back to the 
originals if we have to. It then removes all existing certificate files 
and creates new certificate files with the correct date and time.

Please let me know if I missed a step or you see anything wrong here...

More information about the Freeradius-Devel mailing list