Hi, So I've finally got around to doing some further troubleshooting on this connection issue via tracing on the windows machine. It appears that there is something wrong with the server cert signature that the windows client can't verify. I am getting this in the client TLS logs:
[960] 11-17 15:26:06:560: InitializeSecurityContext returned 0x80096004 [960] 11-17 15:26:06:560: Returning error -2146869244 [960] 11-17 15:26:06:560: State change to RecdFinished. Error: 0x80096004 The 80096004 means there is a server signature problem. I noticed that the captive portal cert is also unverified even though ive installed the server ca cert into the certificate store. It turns out the captive portal cert is issued by the localhost interface (127.0.0.1). Is there anyway to verify what server cert is being used by freeradius? Has anyone successfully tested the packetfence PKI with window clients? I'd appreciate any insights as I really like to get this functionality working Cheers, Jonathan On 10 November 2015 at 09:45, Jonathan Mahady <jonathan.mah...@gmail.com> wrote: > Hi, > > I'm having an issue with the assignment of certificates using the > packetfence PKI plugin. The plugin resides on the same box as Packetfence. > The distro is Debian Wheezy and the version of packetfence is 5.4. I've > configured the CA, the templates and a radius server cert. I've then added > the PKI details into packetfence but when I try to onboard a test user the > certificate assignment fails with the error that the certificate server > cannot be reach. I've trolled through the logs and this is a section of the > error its reporting: > > "<div id="summary"> > <h1>Error at /pki/cert/rest/get/denver/</h1> > <pre class="exception_value">[('asn1 encoding routines', > 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3 > routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object > identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf', > 'error in extension')]</pre> > <table class="meta"> > > <tr> > <th>Request Method:</th> > <td>POST</td> > </tr> > <tr> > <th>Request URL:</th> > <td>https://127.0.0.1:9393/pki/cert/rest/get/denver/</td> > </tr> > > <tr> > <th>Django Version:</th> > <td>1.7.1</td> > </tr> > > <tr> > <th>Exception Type:</th> > <td>Error</td> > </tr> > > > <tr> > <th>Exception Value:</th> > <td><pre>[('asn1 encoding routines', > 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3 > routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object > identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf', > 'error in extension')]</pre></td> > </tr> > > > <tr> > <th>Exception Location:</th> > <td>/usr/local/packetfence-pki/pki/models.py in sign, line 328</td> > </tr> > > <tr> > <th>Python Executable:</th> > <td>/usr/bin/python</td> > </tr> > <tr> > <th>Python Version:</th> > <td>2.7.3</td> > </tr> > <tr> > <th>Python Path:</th> > <td><pre>['/usr/lib/python2.7', > '/usr/lib/python2.7/plat-linux2', > '/usr/lib/python2.7/lib-tk', > '/usr/lib/python2.7/lib-old', > '/usr/lib/python2.7/lib-dynload', > '/usr/local/lib/python2.7/dist-packages', > '/usr/lib/python2.7/dist-packages', > '/usr/lib/python2.7/dist-packages/PIL', > " > > The cert does get generated as I can see it in the packetfence PKI gui but > it doesn't get assigned to the user. I'm not sure what the issue is as I'm > not great with this REST API/Python stuff. I would be extremely grateful > for any advice or pointers. > > Cheers, > > Jonathan >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
