Freeradius with Docker - got Unknown CA error
sunjiuyu at gmail.com
Fri Aug 9 02:51:18 CEST 2019
Thanks Alan for the quick response!
I am using eapol_test to send the request with the ca.pem, but still got
the Unknown CA error:
$ eapol_test -c eap-tls.conf -a 126.96.36.199 -s myRandomPass -o eap-tls.out
In my eap-tls.conf:
ca_cert="ca.pem" // The same ca.pem in Free Radius
On Thu, Aug 8, 2019 at 5:30 PM Alan DeKok <aland at deployingradius.com> wrote:
> On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <sunjiuyu at gmail.com> wrote:
> > I have a working radiusd.conf which can do EAP-TLS authentication. I am
> > able to run the FreeRadius server in Ubuntu directly. Now I am trying to
> > make the FreeRadius server running in Docker and upload it to GCP.
> > with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow
> > CA".
> > In my radiusd.conf, I have something like:
> That's all standard in the default configuration files.
> > In my Dockerfile, I first have something like:
> > WORKDIR /radius
> > COPY radiusd.conf /radius
> > COPY certs/ /radius/certs
> That should work. See also:
> There are pre-built docker scripts for v3, and for the major Linux
> > (4) eap_tls: <<< recv TLS 1.2 [length 0002]
> > (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
> > (4) eap_tls: TLS_accept: Need to read more data: error
> > (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
> > routines:ssl3_read_bytes:tlsv1 alert unknown ca
> That's a message from the supplicant. You configured the CA on
> FreeRADIUS, but not on the supplicant.
> Add the CA to the supplicant and it should work.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users