'RE: (pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: (pfSense + Android): eap_tls: ERROR: TLS Alert read:fatal:certificate
From:       Tommy Scheunemann <net () arrishq ! net>
Date:       2017-12-27 14:28:42
Message-ID: alpine.BSF.2.21.1712271526260.1248 () apollon ! arrishq ! local
[Download RAW message or body]

Hi,

a simple:

cat your_server_cert.crt your_root.ca > server.crt

should do it so the full chain of your root + your server certificate is 
provided.
For the client side exporting the client cert, client private key and your 
CA into a PKCS12, then importing it on your Android device should do it.

---
Sent from my iP... nah, sent from my coffee machine

On Wed, 27 Dec 2017, noob wrote:

> Hi,
> 
> Thank you.
> 
> That sounds very complex for a noob like me. How would one do that, "merging the CA \
> and the cert into one file"? 
> 
> 
> > -----Original Message-----
> > From: Freeradius-Users [mailto:freeradius-users-
> > bounces+reclamezooi=dorfox.com@lists.freeradius.org] On Behalf Of Tommy
> > Scheunemann
> > Sent: woensdag 27 december 2017 11:33
> > To: FreeRadius users mailing list
> > Subject: Re: (pfSense + Android): eap_tls: ERROR: TLS Alert
> > read:fatal:certificate unknown + eap_tls: ERROR: TLS_accept: Failed in SSLv3
> > read client certificate A + eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
> > 
> > Hi,
> > 
> > had a similar error recently with Android 7.x + FreeRadius 3.x the problem was
> > the CA and the Cert FreeRadius presented to the world.
> > The problem was fixed by merging the CA and the Certificate into one file that
> > FreeRadius provides the complete chain.
> > On the Android side importing the CA and 2 certs, one for WiFi, one for testing
> > the cert chain with the corresponding options did the job.
> > 
> > ---
> > Sent from my iP... nah, sent from my coffee machine
> > 
> > On Wed, 27 Dec 2017, noob wrote:
> > 
> > > Hello,
> > > 
> > > 
> > > 
> > > This is FreeRadius 3.0.15 (in the FreeRadius3 package on pfSense 2.3.5-p1).
> > > 
> > > 
> > > 
> > > What has worked fine and suddenly stops working is EAP-TLS, with my
> > > Huawei
> > > Honor8 Pro Android 7.0 smartphone.
> > > 
> > > 
> > > 
> > > Small background: my main pfSense box broke down, so I took my backup
> > > pfSense box, reinstalled pfSense, *created new CA certificate, Server
> > > certificate and User certificate*, connected my smartphone with USB
> > > cable to my PC, copied the CA cert and the User cert to the
> > > smartphone, installed them using the normal Android setting for that
> > > ('install certificates from SD card'), configured the Wireless
> > > Connection in Android, in FreeRadius told it to of course use the CA
> > > certificate and the Server certificate, customized the other settings,
> > > and. for 6 hours now I'm trying to get something to work that does not
> > > want to work. But worked yesterday --- and the years before it. Now,
> > > EAP-TLS doesn't work. If I try a simple username and password: that works.
> > It's simply the certificates that doesn't work.
> > > 
> > > 
> > > 
> > > Those are the errors:
> > > 
> > > 
> > > 
> > > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS Alert
> > > read:fatal:certificate unknown
> > > 
> > > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: TLS_accept:
> > > Failed in
> > > SSLv3 read client certificate A
> > > 
> > > Wed Dec 27 01:20:58 2017 : ERROR: (5) eap_tls: ERROR: Failed in
> > > __FUNCTION__
> > > (SSL_read)
> > > 
> > > 
> > > 
> > > Just to make sure: the certificate manager in pfSense generates all
> > > three certificates *and stores them*, and the FreeRadius package
> > > within the same pfSense uses two of these three certificates (once you
> > > tell you point the package to the right certificates you generate,
> > > which I did). Meaning: it's all integrated.
> > > 
> > > 
> > > 
> > > This first error: to who is the certificate unknown? To the
> > > smartphone? I've imported it 50.000 times again, and again, and again
> > (really).
> > > 
> > > 
> > > 
> > > I hope somebody can help me, because it all worked for years, and I
> > > have no clue anymore what to do, after all these long hours L
> > > 
> > > 
> > > 
> > > Thank you,
> > > 
> > > 
> > > 
> > > Bye,
> > > 
> > > 
> > > 
> > > PS I attached the debug log.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic