unknown CA when trying to authenticate

Alan DeKok aland at deployingradius.com
Wed Feb 24 13:56:35 CET 2021

On Feb 24, 2021, at 3:00 AM, Carsten Schulze <carsten.schulze at leuphana.de> wrote:
> I got the same problem after a Debian upgrade from 9 to 10 and it was not a client problem!
> Our CA: Root-CA - Intermediate CA - CA
> The solution for me
> //in mods-enabled/eap
> #ca_file = ${certdir}/ca-gen2.pem <- Dont use this - put your CAs into certificate_file!
>  certificate_file = ${certdir}/radius1w.company.de.pem <-Now: Certificate - CA - Inter-CA - RootCA
> Restart. Works!

  OpenSSL sometime changes how they do things internally, which means behavioural changes in TLS.  This is unfortunate.  We've had to add code to FreeRADIUS to tell OpenSSL "No, don't do what you want, do what we tell you to do".

  Generally, it's good to put all of the certificates into "certificate_file" as per the docs.  But it doesn't always work for everyone.

> Maybe this might help as well:
> http://blog.rchapman.org/posts/Troubleshooting_EAP-TLS_with_freeradius/

  A good chunk of that is copied from my page, which is 10 years older.  And a lot isn't relevant.  But whatever.

  Alan DeKok.

More information about the Freeradius-Users mailing list