[RADIATOR] Can't get chain certificates to work

Rianto Wahyudi R.Wahyudi at latrobe.edu.au
Tue Jan 11 05:58:51 CST 2011 

Hi Heikki, 

Thank you for your response. 
I did not choose or select any trusted root certification authorities / anchor as I originally tought that windows is smart enough to do it automatically. 

If I select thawte Primary Root CA as trusted anchor the connection seems to be working.
The other problem is that not all client have that specific thawte certificate installed on their PC.

Do you think I should change certificate provider ? If so do you guys have any recommendation of which SSL provider I should use ?
In windows 7, do you have to select a trusted root certification authorities or will it just work automatically if I use well known provider ? 

Regards,
Rianto 




________________________________________
From: Heikki Vatiainen [hvn at open.com.au]
Sent: Tuesday, 11 January 2011 9:04 PM
To: Rianto Wahyudi
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Can't get chain certificates to work

On 01/11/2011 03:35 AM, Rianto Wahyudi wrote:

Hello Rianto,

> Im having some difficulties getting the certificate to work correctly.
> I followed instructions from http://www.open.com.au/pipermail/radiator/2010-November/016781.html,
>
> Windows Clients still get prompted with a warning message saying that the certificate can not be trusted :
> ----  The server "eduroam.latrobe.edu.au" presented a valid certificate issued by "thawte Primary Root CA", but "thawte Primary Root CA" is not configured as a valid trust anchor for this profile.

Please send your certificate file (eduroam.crt) or at least the Subject
and Issuer information from it.

Looks like there is either a problem with the certificate chain, missing
or incorrect CA certs, or you have selected incorrect root certificate
in your Windows Client configuration.

Also tell us how you have configured your Windows Client and what you
have selected as a root CA (trust anchor).

> Following are my config file :
>
> EAPTLS_CAFile /etc/radiator/certs/thawte-ssl-ca-bundle.pem
> EAPTLS_CertificateChainFile /etc/radiator/certs/eduroam-combined
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certs/eduroam.latrobe.edu.au-rsa.key

This looks good. With the above setup, the most important file is
EAPTLS_CertificateChainFile. The order of file contents is important:
the first certificate must be the server certificate followed by the CA
certs. The CA certs can be in any order, but what is important is that
the servert cert is the first.

The cat command you have used does this correctly.

The EAPTLS_CAFile must always be specified, but its contents seem not to
be important. It needs to contain a valid CA cert though. This file
matters more if certs are configured without EAPTLS_CertificateChainFile

> thawte-ssl-ca-bundle.pem contains file from :
> https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem

This bundle seems to have the following two certificates:

Cert 1:
------
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
OU=Certification Services Division, CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com

Subject: C=US, O=thawte, Inc., OU=Certification Services Division,
OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary
Root CA

Cert 2:
-------
Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c)
2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA

Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA


> eduroam-combined contain :
> cat eduroam.crt thawte-ssl-ca-bundle.pem > eduroam-combined
>
>
> Running eapol_test return following error :
> TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 2 for '/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA'
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA' err='unable to get local issuer certificate'
> SSL: (where=0x4008 ret=0x230)
> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server certificate B
> OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> SSL: 7 bytes pending from ssl_out
> SSL: Failed - tls_out available to report error
> SSL: 7 bytes left to be sent out (of total 7 bytes)
> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL

Best regards,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list