Freeradius with Docker - got Unknown CA error

Alan DeKok aland at
Fri Aug 9 02:29:44 CEST 2019

On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <sunjiuyu at> wrote:
> I have a working radiusd.conf which can do EAP-TLS authentication. I am
> able to run the FreeRadius server in Ubuntu directly. Now I am trying to
> make the FreeRadius server running in Docker and upload it to GCP. However,
> with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow
> CA".
> In my radiusd.conf, I have something like:

  That's all standard in the default configuration files.

> In my Dockerfile, I first have something like:
> WORKDIR /radius
> COPY radiusd.conf /radius
> COPY certs/ /radius/certs

  That should work.  See also:

  There are pre-built docker scripts for v3, and for the major Linux distributions.

> (4) eap_tls: <<< recv TLS 1.2  [length 0002]
> (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
> (4) eap_tls: TLS_accept: Need to read more data: error
> (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca

  That's a message from the supplicant.  You configured the CA on FreeRADIUS, but not on the supplicant.

  Add the CA to the supplicant and it should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list