Re: Problem Using GoDaddy Wildcard Certificate
Hi Thomas, Thomas Simmons wrote on 03.03.2013 03:28: > The certification path for my cert is: My Cert > GoDaddy Secure > Certification Authority > Go Daddy Class 2 Certification Authority > > I added my certificate to the beginning of the chain file provided by > GoDaddy (used cat to ensure no errors) and pointed certificate_file to this. > I then selected the "Go Daddy Class 2 Certification Authority" under the > network profile. When this did not work, I imported the chain file into my > Trusted Root CAs and selected "GoDaddy Secure Certification Authority" in > the wifi profile. This also did not work. Lastly, I cleaned up my > certificate store, split apart the chain file into separate files, imported > "GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected > the same in the wifi profile, and pointed certificate_file to my cert ONLY. > Does anyone see a reason this should not work? newer Windows versions do a fair bit of automagic when they have to deal with certificates, ie. o they do /not/ carry /a complete list of all/ Root-CA certificates that the system will eventually trust, instead they automatically download specific "pre-trusted" Root-CA certificates from some trusted Microsoft update server, once the user - doing a bit of internet browsing - encounters a server certificate that will eventually be validating its trust path to that Root-CA certificate /for the first time/. o they use the AIA (Authority Information Access) extension in the certificates (if present) to automatically download missing intermediate CA certificates from the URLs specified in the said certificates to auto-complete trustpaths. o they use the CDP (CRL distribution point) extension in the certificates (if present) to automatically download CRLs from the URLs specified in the said certificates. o they use the AIA (Authority Information Access) extension in the certificates (if present) to automatically ask an OCSP-responder for an up-to-date status of the said certificates. o they cache/store those downloaded bits of information My guess is that your Windows system run into some hen-egg-problem trying to download these things from the internet while not having a full internet connection. > Ideas on what to try next? If you have that same wildcard certificate running on an SSL-web-server, get your Windows system connected to the Internet and browse to the HTTPS address of that web server *with IE*. Since the system has full Internet access it should download and store/cache all bits it is needing to successfully validate your wildcard certificate. You can check the Windows CRL and OCSP cache using C:\> certutil -URLCache CRL C:\> certutil -URLCache OCSP Then disconnect the system and try re-connecting it using the supplicant with eap-tls authentication. The system should hopefully use the validation info it collected when it was online before since it is then encountering the same wildcard certificate as before and accept your RADIUS-server certificate. This would at least proof my theory. I'm not sure if knowing why it is broken will still help you to use your wildcard cert...at least for freshly set-up Windows systems which were never connected to the Internet or which never have seen your wildcard certificate before when connected to the Internet it will be difficult. Just my 2 cents. Best Regards Reimer p.s. You can clear the Windows CRL and OCSP caches using C:\> certutil -URLCache CRL delete C:\> certutil -URLCache OCSP delete -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team) DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
On Sun, Mar 3, 2013 at 10:03 AM, Phil Mayers wrote: > Try with a private ca first, it'll save cash > > I tested using a standard TLD domain cert that I have on-hand Of course, it works as expected. It appears you are indeed correct - wildcard certs do not work for this purpose under Windows. Thank you all for the help. > > Thomas Simmons wrote: >> >> On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers wrote: >> >>> When you enable "validate...", what are you entering as the server name? >>> I'm not sure wildcard certs work with eap under windows. >>> >>> Hello Phil, >> >> Initially, I unchecked "Connect to these servers" and left this field >> empty - this is what I did with the self-signed cert that worked. I also >> tried *.mydomain.com (the CN) and domain.com. I can purchase a standard >> cert to verify this is the problem. >> >> >>> Thomas Simmons wrote: >>> >>> >Hello All, >>> > >>> >I'm trying to get my setup working with a GoDaddy-issued wildcard >>> >certificate (I understand self-signed is recommended). I don't >>> >understand >>> >why this is not working and appreciate any input. What I have found so >>> >far: >>> > >>> >Everything works with self-signed certs. With the CA cert imported, >>> >"Validate server certificate" is not required. >>> >Everything works with GoDaddy certs on Android. >>> >Everything works with GoDaddy certs and "Validate ..." unchecked. >>> >>> -- >>> Sent from my mobile device, please excuse brevity and typos. >>> >> >> > -- > Sent from my mobile device, please excuse brevity and typos. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
On Sun, Mar 3, 2013 at 9:09 AM, JDL wrote: > Thomas, > > Most wildcard certificates that I have encountered do NOT include the > domain, only subdomains. In other words "something.mydomain.com" would > work but not simply "domain.com". I know you tried the actual CN, but > perhaps some component is having an issue with the asterisk. If you wanted > to make another test, you could try using a server name which is similar > to something.mydomain.com. > > Jim L. > > Hello Jim, I tested using foo.mydomain.com, which resulted in the same error. I'm fairly certain Phil is correct that wildcard certs do not work for this purpose under Windows. > > On Mar 3, 2013, at 7:41 AM, Thomas Simmons wrote: > > On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers wrote: > >> When you enable "validate...", what are you entering as the server name? >> I'm not sure wildcard certs work with eap under windows. >> >> Hello Phil, > > Initially, I unchecked "Connect to these servers" and left this field > empty - this is what I did with the self-signed cert that worked. I also > tried *.mydomain.com (the CN) and domain.com. I can purchase a standard > cert to verify this is the problem. > > >> Thomas Simmons wrote: >> >> >Hello All, >> > >> >I'm trying to get my setup working with a GoDaddy-issued wildcard >> >certificate (I understand self-signed is recommended). I don't >> >understand >> >why this is not working and appreciate any input. What I have found so >> >far: >> > >> >Everything works with self-signed certs. With the CA cert imported, >> >"Validate server certificate" is not required. >> >Everything works with GoDaddy certs on Android. >> >Everything works with GoDaddy certs and "Validate ..." unchecked. >> >> -- >> Sent from my mobile device, please excuse brevity and typos. >> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
Try with a private ca first, it'll save cash Thomas Simmons wrote: >On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers >wrote: > >> When you enable "validate...", what are you entering as the server >name? >> I'm not sure wildcard certs work with eap under windows. >> >> Hello Phil, > >Initially, I unchecked "Connect to these servers" and left this field >empty >- this is what I did with the self-signed cert that worked. I also >tried *. >mydomain.com (the CN) and domain.com. I can purchase a standard cert to >verify this is the problem. > > >> Thomas Simmons wrote: >> >> >Hello All, >> > >> >I'm trying to get my setup working with a GoDaddy-issued wildcard >> >certificate (I understand self-signed is recommended). I don't >> >understand >> >why this is not working and appreciate any input. What I have found >so >> >far: >> > >> >Everything works with self-signed certs. With the CA cert imported, >> >"Validate server certificate" is not required. >> >Everything works with GoDaddy certs on Android. >> >Everything works with GoDaddy certs and "Validate ..." unchecked. >> >> -- >> Sent from my mobile device, please excuse brevity and typos. >> -- Sent from my mobile device, please excuse brevity and typos.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
Thomas, Most wildcard certificates that I have encountered do NOT include the domain, only subdomains. In other words "something.mydomain.com" would work but not simply "domain.com". I know you tried the actual CN, but perhaps some component is having an issue with the asterisk. If you wanted to make another test, you could try using a server name which is similar to something.mydomain.com. Jim L. On Mar 3, 2013, at 7:41 AM, Thomas Simmons wrote: > On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers wrote: > When you enable "validate...", what are you entering as the server name? I'm > not sure wildcard certs work with eap under windows. > > Hello Phil, > > Initially, I unchecked "Connect to these servers" and left this field empty - > this is what I did with the self-signed cert that worked. I also tried > *.mydomain.com (the CN) and domain.com. I can purchase a standard cert to > verify this is the problem. > > Thomas Simmons wrote: > > >Hello All, > > > >I'm trying to get my setup working with a GoDaddy-issued wildcard > >certificate (I understand self-signed is recommended). I don't > >understand > >why this is not working and appreciate any input. What I have found so > >far: > > > >Everything works with self-signed certs. With the CA cert imported, > >"Validate server certificate" is not required. > >Everything works with GoDaddy certs on Android. > >Everything works with GoDaddy certs and "Validate ..." unchecked. > > -- > Sent from my mobile device, please excuse brevity and typos. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers wrote: > When you enable "validate...", what are you entering as the server name? > I'm not sure wildcard certs work with eap under windows. > > Hello Phil, Initially, I unchecked "Connect to these servers" and left this field empty - this is what I did with the self-signed cert that worked. I also tried *. mydomain.com (the CN) and domain.com. I can purchase a standard cert to verify this is the problem. > Thomas Simmons wrote: > > >Hello All, > > > >I'm trying to get my setup working with a GoDaddy-issued wildcard > >certificate (I understand self-signed is recommended). I don't > >understand > >why this is not working and appreciate any input. What I have found so > >far: > > > >Everything works with self-signed certs. With the CA cert imported, > >"Validate server certificate" is not required. > >Everything works with GoDaddy certs on Android. > >Everything works with GoDaddy certs and "Validate ..." unchecked. > > -- > Sent from my mobile device, please excuse brevity and typos. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows. Thomas Simmons wrote: >Hello All, > >I'm trying to get my setup working with a GoDaddy-issued wildcard >certificate (I understand self-signed is recommended). I don't >understand >why this is not working and appreciate any input. What I have found so >far: > >Everything works with self-signed certs. With the CA cert imported, >"Validate server certificate" is not required. >Everything works with GoDaddy certs on Android. >Everything works with GoDaddy certs and "Validate ..." unchecked. -- Sent from my mobile device, please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Using GoDaddy Wildcard Certificate
Thomas Simmons wrote: > On Win 7, with "Validate ..." checked, I receive the following error: > > [peap] Length Included > [peap] eaptls_verify returned 11 > [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied > TLS Alert read:fatal:access denied The Windows box is refusing to accept the servers certificate. > The GoDaddy certs appear to have the necessary "XP Extensions". The > following is reported under "Enhanced Key Usage" when I view the cert in > Windows: > Server Authentication (1.3.6.1.5.5.7.3.1) > Client Authentication (1.3.6.1.5.5.7.3.2) OK. > I added my certificate to the beginning of the chain file provided by > GoDaddy (used cat to ensure no errors) and pointed certificate_file to > this. I then selected the "Go Daddy Class 2 Certification Authority" > under the network profile. When this did not work, I imported the chain > file into my Trusted Root CAs and selected "GoDaddy Secure Certification > Authority" in the wifi profile. This also did not work. Lastly, I > cleaned up my certificate store, split apart the chain file > into separate files, imported "GoDaddy Secure Certification Authority" > into my Trusted Root CAs, selected the same in the wifi profile, and > pointed certificate_file to my cert ONLY. Does anyone see a reason this > should not work? Ideas on what to try next? Thank you. Ask Microsoft why their software doesn't work. It sounds like you followed all of the right steps. Maybe you missed something minor (and critical). It's hard to say. There's a lot of magic in SSL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem Using GoDaddy Wildcard Certificate
Hello All, I'm trying to get my setup working with a GoDaddy-issued wildcard certificate (I understand self-signed is recommended). I don't understand why this is not working and appreciate any input. What I have found so far: Everything works with self-signed certs. With the CA cert imported, "Validate server certificate" is not required. Everything works with GoDaddy certs on Android. Everything works with GoDaddy certs and "Validate ..." unchecked. On Win 7, with "Validate ..." checked, I receive the following error: [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. The GoDaddy certs appear to have the necessary "XP Extensions". The following is reported under "Enhanced Key Usage" when I view the cert in Windows: Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) Likewise, openssl reports: $ openssl x509 -in server.crt -text -noout | grep "Web Server" TLS Web Server Authentication, TLS Web Client Authentication The certification path for my cert is: My Cert > GoDaddy Secure Certification Authority > Go Daddy Class 2 Certification Authority I added my certificate to the beginning of the chain file provided by GoDaddy (used cat to ensure no errors) and pointed certificate_file to this. I then selected the "Go Daddy Class 2 Certification Authority" under the network profile. When this did not work, I imported the chain file into my Trusted Root CAs and selected "GoDaddy Secure Certification Authority" in the wifi profile. This also did not work. Lastly, I cleaned up my certificate store, split apart the chain file into separate files, imported "GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected the same in the wifi profile, and pointed certificate_file to my cert ONLY. Does anyone see a reason this should not work? Ideas on what to try next? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html