• 6

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

“Certificate not trusted error” for eap-tls

I'm setting up freeradius as the authentication server for 802.1x. While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate  
--> verify error:num=27:certificate not trusted 
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert write:fatal:bad certificate
    TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

  • 0
Reply Report
      • 2
    • I just tried that and it worked fine. I checked the permissions and used openssl s_server under the freerad user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here

Trending Tags