Otdfbt

Trademark violation for app?

Is there hard evidence that the grant peer review system performs significantly better than random?

Did Deadpool rescue all of the X-Force?

Putting class ranking in CV, but against dept guidelines

Is grep documentation about ignoring case wrong, since it doesn't ignore case in filenames?

Is CEO the "profession" with the most psychopaths?

How do living politicians protect their readily obtainable signatures from misuse?

How to write this math term? with cases it isn't working

An adverb for when you're not exaggerating

Central Vacuuming: Is it worth it, and how does it compare to normal vacuuming?

What's the meaning of "fortified infraction restraint"?

Chinese Seal on silk painting - what does it mean?

Why is Nikon 1.4g better when Nikon 1.8g is sharper?

Drawing without replacement: why is the order of draw irrelevant?

Sending unknown callers to voice mail automatically?

Why do early math courses focus on the cross sections of a cone and not on other 3D objects?

Selecting user stories during sprint planning

How to react to hostile behavior from a senior developer?

Performance gap between vector<bool> and array

Question about debouncing - delay of state change

What does it mean that physics no longer uses mechanical models to describe phenomena?

Project Euler #1 in C++

How can I reduce the gap between left and right of cdot with a macro?

What is the topology associated with the algebras for the ultrafilter monad?

“Certificate not trusted error” for eap-tls

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

1

I'm setting up freeradius as the authentication server for 802.1x.
While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate 
--> verify error:num=27:certificate not trusted 
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate 
TLS Alert write:fatal:bad certificate
 TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

tls 802.1 freeradius2

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

add a comment | 

1

1

I'm setting up freeradius as the authentication server for 802.1x.
While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate 
--> verify error:num=27:certificate not trusted 
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate 
TLS Alert write:fatal:bad certificate
 TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

tls 802.1 freeradius2

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

add a comment | 

I'm setting up freeradius as the authentication server for 802.1x.
While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate 
--> verify error:num=27:certificate not trusted 
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate 
TLS Alert write:fatal:bad certificate
 TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

tls 802.1 freeradius2

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate 
--> verify error:num=27:certificate not trusted 
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate 
TLS Alert write:fatal:bad certificate
 TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

1 Answer
1

active

oldest

votes

0

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here
  
  – Ben Jaguar Marshall
  Mar 31 '14 at 10:10
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f585551%2fcertificate-not-trusted-error-for-eap-tls%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here
  
  – Ben Jaguar Marshall
  Mar 31 '14 at 10:10
  

  
  
  
  

add a comment | 

0

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here
  
  – Ben Jaguar Marshall
  Mar 31 '14 at 10:10
  

  
  
  
  

add a comment | 

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196