Discussion:
problem with CA certificate using mschapv2
marcos
2015-01-21 10:10:23 UTC
Permalink
Hi

Im checking my configuration using freeradius 2.2.5 and I detect this error

TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Looking radiusd.conf all seems to be correct, but Im using TERENA CA and
Im not sure which CA is the correct. Somebody knows how to concret the
error? Is not reading CA? CA is not valid?

Thanks
--
For private content :-)
Public key 0x0C05942A895BD10E
FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Newton
2015-01-21 11:26:48 UTC
Permalink
Post by marcos
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The client has got a problem with the CA.
Post by marcos
Looking radiusd.conf all seems to be correct, but Im using TERENA CA and
Im not sure which CA is the correct. Somebody knows how to concret the
error? Is not reading CA? CA is not valid?
Is the CA cert (and all intermediate certs) installed on the
client?

If the intermediate certs are not installed on the client, are you
sending them (in the right order) from the server?

Matthew
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
marcos
2015-01-21 11:38:31 UTC
Permalink
Hi


For private content :-)
Public key 0x0C05942A895BD10E
FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E
Post by Matthew Newton
Post by marcos
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The client has got a problem with the CA.
Post by marcos
Looking radiusd.conf all seems to be correct, but Im using TERENA CA and
Im not sure which CA is the correct. Somebody knows how to concret the
error? Is not reading CA? CA is not valid?
Is the CA cert (and all intermediate certs) installed on the
client?
Yes, I was installing. The problem is that I don't know how to prepare
Post by Matthew Newton
If the intermediate certs are not installed on the client, are you
sending them (in the right order) from the server?
Justly is the point where I don't know how to do. Only I discovered how
to add the CA, but no the Intermediate certificates. I need to prepare a
certificate joining all or I can mark different?

Thanks
Post by Matthew Newton
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Newton
2015-01-21 12:11:40 UTC
Permalink
Post by marcos
Yes, I was installing. The problem is that I don't know how to prepare
Post by Matthew Newton
If the intermediate certs are not installed on the client, are you
sending them (in the right order) from the server?
Justly is the point where I don't know how to do. Only I discovered how
to add the CA, but no the Intermediate certificates. I need to prepare a
certificate joining all or I can mark different?
Try:

Root CA cert installed on the client device.

.pem certificate file on FreeRADIUS containing (in this order):

RADIUS server certificate
Intermediate certifiate

The root CA should not be necessary here to send to the client, as
it already has it and can check the chain it was sent from the
server.

Matthew
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
marcos
2015-01-21 13:03:35 UTC
Permalink
Hi

Thanks, last information discovered is that CA certificate needs to have
the intermediate CA included, but there is no instructions about how to
do that. In Freeradius you need to create a ca-bundle file how apache?

Thanks

For private content :-)
Public key 0x0C05942A895BD10E
FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E
Post by Matthew Newton
Post by marcos
Yes, I was installing. The problem is that I don't know how to prepare
Post by Matthew Newton
If the intermediate certs are not installed on the client, are you
sending them (in the right order) from the server?
Justly is the point where I don't know how to do. Only I discovered how
to add the CA, but no the Intermediate certificates. I need to prepare a
certificate joining all or I can mark different?
Root CA cert installed on the client device.
RADIUS server certificate
Intermediate certifiate
The root CA should not be necessary here to send to the client, as
it already has it and can check the chain it was sent from the
server.
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Newton
2015-01-21 14:27:04 UTC
Permalink
Post by marcos
Thanks, last information discovered is that CA certificate needs to have
the intermediate CA included, but there is no instructions about how to
do that. In Freeradius you need to create a ca-bundle file how apache?
As I said in the last message - just cat the .pem files together
in the right order.

e.g. it will look something like:

-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK
...
Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK
...
Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK
...
Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ==
-----END CERTIFICATE-----

Matthew
Post by marcos
Post by Matthew Newton
RADIUS server certificate
Intermediate certifiate
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
marcos
2015-01-21 16:32:17 UTC
Permalink
Hi

Thank, Im receiving new messages from clients but now seems that are
connecting!

I see three certificates, how many I need to do the connection?

Thanks

For private content :-)
Public key 0x0C05942A895BD10E
FIngerprint 45B9 EC0B 58D5 B17C 8C37 95C3 0C05 942A 895B D10E
Post by Matthew Newton
Post by marcos
Thanks, last information discovered is that CA certificate needs to have
the intermediate CA included, but there is no instructions about how to
do that. In Freeradius you need to create a ca-bundle file how apache?
As I said in the last message - just cat the .pem files together
in the right order.
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK
...
Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK
...
Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAg5wAAAHaIoSn5uBGFosNDfw0BAQUFADBeMRrRoLwK
...
Uv7oSKSro7A7Hg3y0vqWa0snndL2mPDlHFrqR9qQ==
-----END CERTIFICATE-----
Matthew
Post by marcos
Post by Matthew Newton
RADIUS server certificate
Intermediate certifiate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2015-01-21 16:43:14 UTC
Permalink
Post by marcos
Thank, Im receiving new messages from clients but now seems that are
connecting!
That’s good.
Post by marcos
I see three certificates, how many I need to do the connection?
As many as you configured it to need.

There’s nothing magic here. YOU configured a particular chain of certificates. A CA, client cert, etc. So YOU told it to require those certificates. So if you see three certificates, it’s because they are all needed.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Newton
2015-01-21 17:15:26 UTC
Permalink
Post by marcos
I see three certificates
The last time I saw, TERENA had two intermediate certificates, so
three on the server (two intermediates plus the server cert)
sounds right.

Matthew
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alain Péan
2015-01-21 13:12:55 UTC
Permalink
Post by marcos
Looking radiusd.conf all seems to be correct, but Im using TERENA CA and
Im not sure which CA is the correct. Somebody knows how to concret the
error? Is not reading CA? CA is not valid?
We also use in our community in France Terena certificates. We use for
CA 'Addtrust External CA Root'. It works without problems.

Alain
--
Administrateur Système/Réseau
Laboratoire de Photonique et Nanostructures (LPN/CNRS - UPR20)
Centre de Recherche Alcatel Data IV - Marcoussis
route de Nozay - 91460 Marcoussis
Tel : 01-69-63-61-34

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...