Try with ca-server bundle: cat ca.pem server.pem > cabundle.pem
Use that as CAfile and export (appropriate version) to the clients. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, "Vegard Svanberg" <[EMAIL PROTECTED]> piše: >* Vegard Svanberg <[EMAIL PROTECTED]> [2008-10-07 12:16]: > >> > Perhaps you should bother reading the mysteriously named file README in >> > /certs directory before asking questions. >> >> Seems the file got lost during the transition from 1.x. Thanks! > >Hm, something is not working right, but I'm not sure where. Created (ca, >server, client) certificates per the instructions in the README file. >Enabled EAP-TLS in eap.conf and verified that paths etc are correct. >Then created the client certificate and imported it on the client. -X >gives me this before it fails: > >Found Auth-Type = EAP >+- entering group authenticate {...} >[eap] Request found, released from the list >[eap] EAP/tls >[eap] processing type tls >[tls] Authenticate >[tls] processing EAP-TLS > TLS Length 1497 >[tls] Length Included >[tls] eaptls_verify returned 11 >[tls] <<< TLS 1.0 Handshake [length 0393], Certificate >--> verify error:num=20:unable to get local issuer certificate >[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca >TLS Alert write:fatal:unknown CA > TLS_accept:error in SSLv3 read client certificate B >rlm_eap: SSL error error:140890B2:SSL >routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >SSL: SSL_read failed in a system call (-1), TLS session fails. >TLS receive handshake failed during operation >[tls] eaptls_process returned 4 >[eap] Handler failed in EAP/tls >[eap] Failed in EAP select >++[eap] returns invalid >Failed to authenticate the user. >Using Post-Auth-Type Reject >+- entering group REJECT {...} > expand: %{User-Name} -> testuser2 > >Also, openssl can't verify the generated client certificate: > >$ openssl verify -CAfile ca.pem client.pem >client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL >PROTECTED] >error 20 at 0 depth lookup:unable to get local issuer certificate > >Oh BTW, there is a small error in the README, on line 132 it reads: > >> The users certificate will be in "commonName.pem", >> i.e. "[EMAIL PROTECTED]". > >This is wrong; the Makefile is using emailAddress. > >-- >Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html