Ryfujk

Would an alien lifeform be able to achieve space travel if lacking in vision?

Simulating Exploding Dice

Why not take a picture of a closer black hole?

Can each chord in a progression create its own key?

How to handle characters who are more educated than the author?

Keeping a retro style to sci-fi spaceships?

Word to describe a time interval

Can a flute soloist sit?

Make it rain characters

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?

Is an up-to-date browser secure on an out-of-date OS?

What was the last x86 CPU that did not have the x87 floating-point unit built in?

Windows 10: How to Lock (not sleep) laptop on lid close?

One-dimensional Japanese puzzle

How to support a colleague who finds meetings extremely tiring?

Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time?

Match Roman Numerals

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

Can withdrawing asylum be illegal?

Are there continuous functions who are the same in an interval but differ in at least one other point?

Working through the single responsibility principle (SRP) in Python when calls are expensive

"... to apply for a visa" or "... and applied for a visa"?

Drawing vertical/oblique lines in Metrical tree (tikz-qtree, tipa)

“Certificate not trusted error” for eap-tls

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

1

1

I'm setting up freeradius as the authentication server for 802.1x.
While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate  

--> verify error:num=27:certificate not trusted 

[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  

TLS Alert write:fatal:bad certificate

    TLS_accept: error in SSLv3 read client certificate B

rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

tls 802.1 freeradius2

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

bumped to the homepage by Community♦ 18 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

1

1

I'm setting up freeradius as the authentication server for 802.1x.
While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate  

--> verify error:num=27:certificate not trusted 

[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  

TLS Alert write:fatal:bad certificate

    TLS_accept: error in SSLv3 read client certificate B

rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

tls 802.1 freeradius2

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

bumped to the homepage by Community♦ 18 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I'm setting up freeradius as the authentication server for 802.1x.
While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate  

--> verify error:num=27:certificate not trusted 

[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  

TLS Alert write:fatal:bad certificate

    TLS_accept: error in SSLv3 read client certificate B

rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

tls 802.1 freeradius2

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate  

--> verify error:num=27:certificate not trusted 

[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  

TLS Alert write:fatal:bad certificate

    TLS_accept: error in SSLv3 read client certificate B

rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

share|improve this question

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

asked Mar 31 '14 at 5:19

Ben Jaguar MarshallBen Jaguar Marshall

1216

1 Answer
1

active

oldest

votes

0

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here
  
  – Ben Jaguar Marshall
  Mar 31 '14 at 10:10
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f585551%2fcertificate-not-trusted-error-for-eap-tls%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here
  
  – Ben Jaguar Marshall
  Mar 31 '14 at 10:10
  

  
  
  
  

add a comment | 

0

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here
  
  – Ben Jaguar Marshall
  Mar 31 '14 at 10:10
  

  
  
  
  

add a comment | 

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

share|improve this answer

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196

answered Mar 31 '14 at 5:59

Jenny DJenny D

24.2k116196