[RADIATOR] Can't get chain certificates to work

Rianto Wahyudi R.Wahyudi at latrobe.edu.au
Mon Jan 10 19:35:46 CST 2011 

Hi All, 

Im having some difficulties getting the certificate to work correctly. 
I followed instructions from http://www.open.com.au/pipermail/radiator/2010-November/016781.html, 

Windows Clients still get prompted with a warning message saying that the certificate can not be trusted : 
----  The server "eduroam.latrobe.edu.au" presented a valid certificate issued by "thawte Primary Root CA", but "thawte Primary Root CA" is not configured as a valid trust anchor for this profile.


Following are my config file : 

EAPTLS_CAFile /etc/radiator/certs/thawte-ssl-ca-bundle.pem
EAPTLS_CertificateChainFile /etc/radiator/certs/eduroam-combined
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/eduroam.latrobe.edu.au-rsa.key


thawte-ssl-ca-bundle.pem contains file from : 
https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem

eduroam-combined contain :
cat eduroam.crt thawte-ssl-ca-bundle.pem > eduroam-combined


Running eapol_test return following error : 
TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 2 for '/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA' err='unable to get local issuer certificate'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL

How should I make this work?

Regards,
Rianto

More information about the radiator mailing list