[RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed

Heikki Vatiainen hvn at open.com.au
Thu Dec 15 04:56:37 CST 2011

On 12/14/2011 05:21 PM, Röver, Christian wrote:
> The posted logfile is the full trace 4 logging and the config I posted
> before is he complete config (I only cut the descriptions and the lines that
> were commented out).


> The certificates are all valid and have been verified by the toplevel-ca.
> Maybe it is useful to know, that we have our own CA.
> Our CA is the lowest in a row of three CA's. The CA-files are all stored in
> the CAPath-folder together with our own CA's chain file.

You could try TLS_CAFile instead of TLS_CAPath. Please see below for more.

> The error message tells about problems with the verification of a
> certificate. Is there any need to use the CA-files directly instead of the
> CAPath?

If you use CAPath, the certificate files are accessed by CA subject name
hash. In most cases this means there's a symbolic link like this:

lrwxrwxrwx 1 root root     20 2011-10-13 16:42 ddc328ff.0 ->

See this for how to use command c_rehash to create the links:

Instead of using TLS_CAPath you can put all CA certifcates in one file
and point TLS_CAFile to that file. That might be easier to maintain the
symbolic links for all required certificates.

> Another question is: we use eaptls for the communication with our ldap
> server (this works!), but we have to use TLS for radsec with the toplevel
> server. Might there be a problem?

Sorry, I did not quite understand this. You can use SSL or TLS for LDAP
connections from Radiator without worries with RadSec.

I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and
TTLS inner authentication via RADIUS?


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list