Failure with "TLS authentication" and "Freeradius on Fefora-17"

John Dennis jdennis at
Mon Jan 7 21:14:53 CET 2013

On 01/07/2013 02:41 PM, Ajay Garg wrote:
> Upon restarting, it shows a "missing server.pem" error.
> I reckon that we need to run "make server" too at some point of time (so
> that "server.pem" gets generated after "make destroycerts").

make destroycerts should have removed all the pem files and keys. After 
running make again it will generate all new files. client has a 
dependency on ca and server files so it should have created a new ca, 
new server key and cert, a new client cert. Did it?

Just to be clear, your client needs to trust the CA that signed your 
server cert and the server needs to trust the CA that signed your client 
cert. Typically those are located on two different machines. Make sure 
those line up or you're doomed. It's not clear to me which machines 
you're running these commands on and where you're copying the resulting 
files, but that's critical to get right. You can  use the same CA to 
sign both the server cert and the client cert, but that's not a 
requirement, it just helps simplify the deployment a tad bit.

> HOWEVER, I am now confused which "ca.pem" to consider, the one generated
> via "make server", or the one generated via "make client"?

Argh... you really need to be much more clear with what you're doing. If 
you're running the cert creation commands on different machines and 
leaving the results on that machine this will never work.

SIGNER (issuing CA) and how that translates to the configuration 
parameters for each software component (see above).

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list