On 01/11/2011 03:35 AM, Rianto Wahyudi wrote: Hello Rianto,
> Im having some difficulties getting the certificate to work correctly. > I followed instructions from > http://www.open.com.au/pipermail/radiator/2010-November/016781.html, > > Windows Clients still get prompted with a warning message saying that the > certificate can not be trusted : > ---- The server "eduroam.latrobe.edu.au" presented a valid certificate > issued by "thawte Primary Root CA", but "thawte Primary Root CA" is not > configured as a valid trust anchor for this profile. Please send your certificate file (eduroam.crt) or at least the Subject and Issuer information from it. Looks like there is either a problem with the certificate chain, missing or incorrect CA certs, or you have selected incorrect root certificate in your Windows Client configuration. Also tell us how you have configured your Windows Client and what you have selected as a root CA (trust anchor). > Following are my config file : > > EAPTLS_CAFile /etc/radiator/certs/thawte-ssl-ca-bundle.pem > EAPTLS_CertificateChainFile /etc/radiator/certs/eduroam-combined > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile /etc/radiator/certs/eduroam.latrobe.edu.au-rsa.key This looks good. With the above setup, the most important file is EAPTLS_CertificateChainFile. The order of file contents is important: the first certificate must be the server certificate followed by the CA certs. The CA certs can be in any order, but what is important is that the servert cert is the first. The cat command you have used does this correctly. The EAPTLS_CAFile must always be specified, but its contents seem not to be important. It needs to contain a valid CA cert though. This file matters more if certs are configured without EAPTLS_CertificateChainFile > thawte-ssl-ca-bundle.pem contains file from : > https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem This bundle seems to have the following two certificates: Cert 1: ------ Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA Cert 2: ------- Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA > eduroam-combined contain : > cat eduroam.crt thawte-ssl-ca-bundle.pem > eduroam-combined > > > Running eapol_test return following error : > TLS: Certificate verification failed, error 20 (unable to get local issuer > certificate) depth 2 for '/C=US/O=thawte, Inc./OU=Certification Services > Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary > Root CA' > CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=US/O=thawte, > Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For > authorized use only/CN=thawte Primary Root CA' err='unable to get local > issuer certificate' > SSL: (where=0x4008 ret=0x230) > SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA > SSL: (where=0x1002 ret=0xffffffff) > SSL: SSL_connect:error in SSLv3 read server certificate B > OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > SSL: 7 bytes pending from ssl_out > SSL: Failed - tls_out available to report error > SSL: 7 bytes left to be sent out (of total 7 bytes) > EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL Best regards, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
