1

I'm setting up freeradius as the authentication server for 802.1x. While testing the config using rad_eap_test, the server returns the following error:

[tls] <<< TLS 1.0 Handshake [length 0491], Certificate  
--> verify error:num=27:certificate not trusted 
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert write:fatal:bad certificate
    TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation

Now, I'm not sure which certificate it is referring to. I've created my own CA from which I have issued a server and client certificate. Is there a way of tracking down which certificate is causing the error?

Ben Jaguar Marshall
  • 131
  • 1
  • 6

1 Answers1

1

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • I just tried that and it worked fine. I checked the permissions and used *openssl s_server* under the *freerad* user and that worked. I tried putting a bad filename in the config and it didn't run, so I'm thinking the client cert. Not sure where to go from here – Ben Jaguar Marshall Mar 31 '14 at 10:10