EAP-TLS unable to get local issuer certificate
MH
h33927318 at gmail.com
Tue Jun 6 11:54:01 UTC 2023
Hello,
I am trying to setup EAP-TLS and I am getting radius server error "eap_tls:
(TLS) OpenSSL says error 20 : unable to get local issuer certificate",
"send TLS 1.2 Alert, fatal unknown_ca"
Test client is wpa_supplicant 2.1 built on Ubuntu Linux 22.04.2.
All tests are done locally on FreeRadius server 3.2.3 (Ubuntu Linux 22.04.2)
When I test "client.crt" with "openssl verify ./client.crt" I get "OK".
Specifying -CAFile OpenSSL parameter with chained CA cert also produces
"OK".
All CA certificates (there is also an intermediate certificate) are in
/etc/freeradius/certs, /etc/freeradius/certs_eaptls and also
/usr/lib/ssl/cert.
One certificate per file.
FreeRadius's EAP-TLS stanza is
cadir = ${certdir}/certs_eaptls
private_key_file = ${certdir}/rad.key
certificate_file = ${certdir}/rad.crt
auto_chain = no
Server and client certificates are signed by different commercial CA.
All certificates have intermediate CA.
eapol_test config file for EAP-TLS is
network={
key_mgmt=WPA-EAP
eap=TLS
identity="blabla at domain.tld"
ca_cert="/etc/ssl/certs/chain.crt"
client_cert="client.crt"
private_key="client.key"
private_key_passwd="blabla"
}
AppArmor disabled.
Permissions for all certs are r--r--r-- (at least).
OpenSSL rehash done.
I have no idea what could be wrong.
More information about the Freeradius-Users
mailing list