[RADIATOR] Can't get chain certificates to work

Stephen A. Felicetti stephen.felicetti at fccc.edu
Thu Nov 4 15:20:18 CDT 2010 

If I exclude the EAPTLS_CAFile, I get the following error:

Thu Nov  4 16:06:42 2010: ERR: TLS could not load_verify_locations , : 
Thu Nov  4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise context
Thu Nov  4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could not initialise context
Thu Nov  4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS Could not initialise context

Thanks,
Steve


On Nov 4, 2010, at 3:32 PM, David Zych wrote:

> EAPType TTLS
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
> EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem  [enabled]
> EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
> EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
> EAPTLS_PrivateKeyPassword xxxx
>
> I get this error:
>
> Tue Nov  2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file %D/certificates/cert/thawtekey.pem, 1:  23681: 1 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I fought with this same issue and eventually discovered that the
Radiator documentation is misleading: including both an
EAPTLS_CertificateFile (for the server cert) and an
EAPTLS_CertificateChainFile (for the intermediate cert) does not work
because the underlying call to SSL_CTX_use_certificate_chain_file()
expects a *single* file that contains *all* of the necessary certs.  The
error you're seeing now indicates that your private key doesn't match
the first cert in thawte.SSL123bundle.pem.

What you want to do is put them all in one file with yours on top:
cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem

and specify:
EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem

(do not include an EAPTLS_CertificateFile directive)

Hope this helps.
David


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101104/4cea38b7/attachment-0001.html

More information about the radiator mailing list