[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Unknown CA errors
From:       Alan Buxey <A.L.M.Buxey () lboro ! ac ! uk>
Date:       2011-02-23 19:36:06
Message-ID: 20110223193606.GA20732 () lboro ! ac ! uk
[Download RAW message or body]

Hi,

> In my eap.conf I see the following:
> #  This parameter is used only for EAP-TLS,
>                         #  when you issue client certificates.  If you do
>                         #  not use client certificates, and you do not want
>                         #  to permit EAP-TLS authentication, then delete
>                         #  this configuration item.
>                         #CA_file = ${cadir}/ca.pem

                        #  If CA_file (below) is not used, then the
                        #  certificate_file below MUST include not
                        #  only the server certificate, but ALSO all
                        #  of the CA certificates used to sign the
                        #  server certificate.
                        certificate_file = ${certdir}/radius-server.crt

so, if you dont use CA_file then you must have the server cert AND
its CA chained in the certificate_file

> And I'm getting these errors logged from time to time.
> Feb 23 13:05:07 avocet radiusd[15992]: TLS Alert read:fatal:unknown CA Feb
> 23 13:05:07 avocet radiusd[15992]: rlm_eap: SSL error error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

the client has tried to use the wrong CA to deal with you.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]