Public bug reported:
Ubuntu release: 26.04 LTS
Packages: network-manager, wpasupplicant (versions attached by apport)
Summary
-------
When an 802.1X (WPA-Enterprise) connection profile references a PEM file
containing multiple CA certificates via 802-1x.ca-cert, NetworkManager passes
the file content to wpa_supplicant over D-Bus as a blob. wpa_supplicant then
loads only the FIRST certificate of the blob into its OpenSSL trust store and
silently ignores the rest. Server certificate verification therefore fails
whenever the RADIUS server's chain is anchored in any certificate other than
the first one in the file.
This breaks the official eduroam CAT installers (cat.eduroam.org), which
deliberately ship a ca.pem containing several roots/intermediates to support
CA migrations. Real-world impact: TU Berlin switched its RADIUS server
certificate from a Telekom-issued to a HARICA-issued one on 2026-06-22. The
CAT ca.pem contains both chains (5 certificates; the old Telekom root happens
to be first), so all Ubuntu clients configured via CAT stopped connecting to
eduroam, and re-running the installer does not help. Other institutions
performing the same DFN-PKI -> HARICA/GEANT migration will be affected
identically.
Steps to reproduce
------------------
1. Create an 802.1X (PEAP/MSCHAPv2) Wi-Fi profile whose 802-1x.ca-cert points
to a PEM file with multiple CA certificates, where the CA actually needed
to verify the server is NOT the first certificate in the file
(e.g. the ca.pem produced by the eduroam CAT installer for TU Berlin).
2. Attempt to connect.
Expected result
---------------
All certificates in the file are added to the trust store (as OpenSSL's
SSL_CTX_load_verify_locations would do for a path), and the connection
succeeds.
Actual result
-------------
Verification fails and NetworkManager repeatedly re-prompts for the password.
wpa_supplicant debug log shows:
OpenSSL: tls_connection_ca_cert - added ca_cert_blob to certificate store
TLS: Certificate verification failed, error 19 (self-signed certificate in
certificate chain) depth 2 for '/C=GR/O=Hellenic Academic and Research
Institutions CA/CN=HARICA TLS RSA Root CA 2021'
wlp0s20f3: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='...
CN=HARICA TLS RSA Root CA 2021' err='self-signed certificate in
certificate chain'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
The HARICA root named in the error IS present in the referenced ca.pem
(verified with `openssl storeutl`), and the RADIUS server sends a complete
chain. Only the first certificate of the file (T-TeleSec GlobalRoot Class 2)
is effectively trusted.
Workaround
----------
Point 802-1x.ca-cert at a file containing only the required root:
nmcli connection modify eduroam 802-1x.ca-cert /path/to/harica-root-only.pem
After this the connection succeeds with full validation.
Notes
-----
The bug is in the interaction between NetworkManager's blob transfer and
wpa_supplicant's ca_cert_blob handling (single-certificate parse); it may
need fixing in either or both packages. Full wpa_supplicant debug log
available on request.
ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: network-manager 1.54.3-2ubuntu3
ProcVersionSignature: Ubuntu 7.0.0-22.22-generic 7.0.0
Uname: Linux 7.0.0-22-generic x86_64
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Jul 2 18:00:44 2026
InstallationDate: Installed on 2025-07-08 (359 days ago)
InstallationMedia: Ubuntu 24.04.1 LTS "Noble Numbat" - Release amd64
(20240827.1)
IpRoute:
default via 141.23.192.1 dev wlp0s20f3 proto dhcp src 141.23.214.121 metric
600
141.23.192.0/19 dev wlp0s20f3 proto kernel scope link src 141.23.214.121
metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
SourcePackage: network-manager
UpgradeStatus: Upgraded to resolute on 2026-06-11 (21 days ago)
nmcli-nm:
RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI
WWAN-HW WWAN METERED
running 1.54.3 connected started full enabled enabled
enabled missing disabled no (guessed)
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug resolute wayland-session
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158990
Title:
802.1X: only the first certificate of a multi-certificate ca-cert PEM
file is loaded when NM passes it to wpa_supplicant as a blob — breaks
eduroam CAT profiles
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2158990/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs