[RADIATOR] Can't get chain certificates to work

David Zych dmrz at illinois.edu
Thu Nov 4 16:21:35 CDT 2010


On 1:59 PM, Stephen A. Felicetti wrote:
> On Nov 4, 2010, at 3:32 PM, David Zych wrote:
>>
>> I fought with this same issue and eventually discovered that the
>> Radiator documentation is misleading: including both an
>> EAPTLS_CertificateFile (for the server cert) and an
>> EAPTLS_CertificateChainFile (for the intermediate cert) does not work
>> because the underlying call to SSL_CTX_use_certificate_chain_file()
>> expects a *single* file that contains *all* of the necessary certs.
>>
>> What you want to do is put them all in one file with yours on top:
>> cat wirelesscert.pem thawte.SSL123bundle.pem >  fullchain.pem
>>
>> and specify:
>> EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem
>>
>> (do not include an EAPTLS_CertificateFile directive)
>
> If I exclude the EAPTLS_CAFile, I get the following error:
>
> Thu Nov  4 16:06:42 2010: ERR: TLS could not load_verify_locations , :
> Thu Nov  4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise context
> Thu Nov  4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could not initialise context
> Thu Nov  4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS Could not initialise context

You still need to specify either a EAPTLS_CAFile or EAPTLS_CAPath (it 
doesn't really mean much if you're not using client certs, but as you've 
just discovered, TTLS can't initialize without the declaration).


More information about the radiator mailing list