Re: CA.all and CA.certs in Freeradius 2.x
That's just the ad-hoc solution for the error you reported (error 20 - incomplete chain). It might not be the best way of doing things. I don't use certificates that much. Others might know a better way of sorting this out. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, "Vegard Svanberg" <[EMAIL PROTECTED]> piše: >* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-10-08 15:03]: > >> Try with ca-server bundle: >> >> cat ca.pem server.pem > cabundle.pem >> >> Use that as CAfile and export (appropriate version) to the clients. > >Worked great, thanks! > >Perhaps the Makefile should be updated? > >-- >Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-10-08 15:03]: > Try with ca-server bundle: > > cat ca.pem server.pem > cabundle.pem > > Use that as CAfile and export (appropriate version) to the clients. Worked great, thanks! Perhaps the Makefile should be updated? -- Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
Try with ca-server bundle:
cat ca.pem server.pem > cabundle.pem
Use that as CAfile and export (appropriate version) to the clients.
Ivan Kalik
Kalik Informatika ISP
Dana 8/10/2008, "Vegard Svanberg" <[EMAIL PROTECTED]> piše:
>* Vegard Svanberg <[EMAIL PROTECTED]> [2008-10-07 12:16]:
>
>> > Perhaps you should bother reading the mysteriously named file README in
>> > /certs directory before asking questions.
>>
>> Seems the file got lost during the transition from 1.x. Thanks!
>
>Hm, something is not working right, but I'm not sure where. Created (ca,
>server, client) certificates per the instructions in the README file.
>Enabled EAP-TLS in eap.conf and verified that paths etc are correct.
>Then created the client certificate and imported it on the client. -X
>gives me this before it fails:
>
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] Request found, released from the list
>[eap] EAP/tls
>[eap] processing type tls
>[tls] Authenticate
>[tls] processing EAP-TLS
> TLS Length 1497
>[tls] Length Included
>[tls] eaptls_verify returned 11
>[tls] <<< TLS 1.0 Handshake [length 0393], Certificate
>--> verify error:num=20:unable to get local issuer certificate
>[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>TLS Alert write:fatal:unknown CA
>TLS_accept:error in SSLv3 read client certificate B
>rlm_eap: SSL error error:140890B2:SSL
>routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>SSL: SSL_read failed in a system call (-1), TLS session fails.
>TLS receive handshake failed during operation
>[tls] eaptls_process returned 4
>[eap] Handler failed in EAP/tls
>[eap] Failed in EAP select
>++[eap] returns invalid
>Failed to authenticate the user.
>Using Post-Auth-Type Reject
>+- entering group REJECT {...}
>expand: %{User-Name} -> testuser2
>
>Also, openssl can't verify the generated client certificate:
>
>$ openssl verify -CAfile ca.pem client.pem
>client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL
>PROTECTED]
>error 20 at 0 depth lookup:unable to get local issuer certificate
>
>Oh BTW, there is a small error in the README, on line 132 it reads:
>
>> The users certificate will be in "commonName.pem",
>> i.e. "[EMAIL PROTECTED]".
>
>This is wrong; the Makefile is using emailAddress.
>
>--
>Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)]
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* Vegard Svanberg <[EMAIL PROTECTED]> [2008-10-07 12:16]:
> > Perhaps you should bother reading the mysteriously named file README in
> > /certs directory before asking questions.
>
> Seems the file got lost during the transition from 1.x. Thanks!
Hm, something is not working right, but I'm not sure where. Created (ca,
server, client) certificates per the instructions in the README file.
Enabled EAP-TLS in eap.conf and verified that paths etc are correct.
Then created the client certificate and imported it on the client. -X
gives me this before it fails:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1497
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0393], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> testuser2
Also, openssl can't verify the generated client certificate:
$ openssl verify -CAfile ca.pem client.pem
client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL
PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
Oh BTW, there is a small error in the README, on line 132 it reads:
> The users certificate will be in "commonName.pem",
> i.e. "[EMAIL PROTECTED]".
This is wrong; the Makefile is using emailAddress.
--
Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-10-07 12:13]: > Perhaps you should bother reading the mysteriously named file README in > /certs directory before asking questions. Seems the file got lost during the transition from 1.x. Thanks! -- Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions. Ivan Kalik Kalik Informatika ISP Dana 7/10/2008, "Vegard Svanberg" <[EMAIL PROTECTED]> piše: >The CA.all and CA.certs scripts seem to not be included in the >Freeradius 2.x tarball anymore. Have they just been forgotten, or have >they been replaced by other scripts, or are there other recommended ways >of handling/generating certs in 2.x? > >-- >Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CA.all and CA.certs in Freeradius 2.x
The CA.all and CA.certs scripts seem to not be included in the Freeradius 2.x tarball anymore. Have they just been forgotten, or have they been replaced by other scripts, or are there other recommended ways of handling/generating certs in 2.x? -- Vegard Svanberg <[EMAIL PROTECTED]> [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
