Hello, Was a solution ever found for this issue? I have the exact same problem and have not been able to find a solution yet.
When I copy paste the CA public key into Configuration → System Configuration → SSL Certificates → RADIUS → Edit, it returns the error “Failed verifying chain: error stdin: verification failed . Unable to fetch all the intermediates through the information contained in the certificate. You will have to upload the intermediate chain manually in x509 (Apache) format.” Could someone point me in the right direction? Best regards, Pieter > -----Oorspronkelijk bericht----- > > Hi Ludovic, > > Thanks for your feedback. Indeed, that is what I was referring to. > I tested both on Windows 10 and Android 10. > This is what I did: > 1. Generate a root CA using Integration > PKI > Certificate Authorities > 2. Copy the root CA to System Configuration > SSL Certificates > Radius > > Certificate Authority > 3. Create a template > 4. Create a user cert based on this template > 5. Export the cert to p12 (thus including the root ca) > 6. Import the p12 to Windows/Android > > Best regards, > Thijs > > Op ma 1 feb. 2021 om 17:34 schreef Ludovic Zammit <lzam...@inverse.ca>: > > > Hello, > > > > eap_tls: TLS Alert read:fatal:unknown CA > > > > That error means that the client want to trust the Radius certificate that > > is installed on PAcketFence and does not trust his root CA. > > > > To avoid that error, you can first configure a good certificate on the > > PacketFence Radius service and trust his root CA / install the root CA on > > the testing device or you can ignore the certificate check. > > > > What’s the OS of your testing device ? > > > > Thanks, > > > > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: > > www.inverse.ca > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu/) and PacketFence > > (http://packetfence.org/) > > > > > > > > > > > > On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via PacketFence-users < > > packetfence-users@lists.sourceforge.net> wrote: > > > > Hi, > > > > For a while now, I'm trying to get EAP-TLS working on Packetfence using > > the built-in PKI. > > I'm following the installation guide ( > > https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki), > > but I think I'm still missing something, or doing something wrong: > > > > The guide mentions: > > *Once done copy the certificate in the clipboard from the Certificate > > Authorities list (Configuration → Integration → PKI → Certificate > > Authorities and click on Copy Certificate) then edit the RADIUS certificate > > section in Configuration → Systen Configuration → SSL Certificates → RADIUS > > → Edit and paste the public key in "Certificate Authority" and Save. (Don’t > > forget to restart radiusd-auth)* > > > > However, this makes the RADIUS certificate chain invalid: > > *Failed verifying chain: error stdin: verification failed . Ensure the > > intermediates certificate file you provided contains all the intermediate > > certificate authorities in x509 (Apache) format.* > > > > Indeed, I can only connect using a generated certificate when choosing not > > to validate the CA on the end-device. When I ask to verify the CA, this is > > the error I get in radius.log: > > > > > > > > > > > > *Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert > > read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: > > ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01 > > auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)Jan > 14 > > 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user: > > <username>Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect > > (eap_tls: TLS Alert read:fatal:unknown CA): [<username>] (from client > > X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)* > > > > I tried this on PF 10.0.1 and 10.2.0, same behavior. > > > > Any ideas? > > > > Thanks! > > Thijs > > > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
