Discussion:
[RADIATOR] Can't get chain certificates to work
Stephen A. Felicetti
2010-11-04 12:30:42 UTC
Permalink
Hello,

I'm currently running Radiator 4.7 on SUSE linux with OpenSSL 0.9.8h.
I've had this running for years without any problems (albeit different versions).
Now that I have to begin using Chain Certificates with my CA, I'm stuck.
I know for a fact that the my private key and server certificate share the same modulus and exponent. The private key also works fine.
I was also given all the correct CA and Chain certificates from Thawte, so I'm confident I'm OK there.
The certificates work fine when installed on a Cisco ACS server.
I also tried another set of certificates from Entrust, and received the same exact errors.
The only way I can get this configuration to work with the new certificates is to use configuration #1, and not have the wireless client validate the server cert. Obviously, not a solution.

Any help or suggestions are greatly appreciated.

Configuration #1:

EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
#EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem [disabled]
EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx

I get this error, which I would expect to receive without a chain cert in the configuration and the client wanting to validate the server cert.

Tue Nov 2 12:02:35 2010: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576
Tue Nov 2 12:02:35 2010: DEBUG: EAP result: 1, EAP TTLS Handshake unsuccessful: 23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Tue Nov 2 12:02:35 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Handshake unsuccessful: 23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Tue Nov 2 12:02:35 2010: INFO: Access rejected for tsd7notebook: EAP TTLS Handshake unsuccessful: 23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca



Configuration #2:

EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem [enabled]
EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx

I get this error:

Tue Nov 2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file %D/certificates/cert/thawtekey.pem, 1: 23681: 1 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


Thanks,
Steve

Stephen A Felicetti
Fox Chase Cancer Center
Director, Information Security
stephen.felicetti at fccc.edu
215-728-2956



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101104/f4518c1c/attachment.html
Andrew D. Clark
2010-11-04 16:50:02 UTC
Permalink
I had trouble getting this to work as well. The problem turned out to be the
order of certificates in the chain. They usually come, from top to bottom in
the file, root CA, signing CA, your cert. It looks like the way Radiator
wants it is your cert, followed by the signing CA. Try reversing the order of
certs in your file and see if it works.

--
Andrew Clark
Post by Stephen A. Felicetti
Hello,
I'm currently running Radiator 4.7 on SUSE linux with OpenSSL 0.9.8h.
I've had this running for years without any problems (albeit different
versions). Now that I have to begin using Chain Certificates with my CA,
I'm stuck. I know for a fact that the my private key and server
certificate share the same modulus and exponent. The private key also
works fine. I was also given all the correct CA and Chain certificates
from Thawte, so I'm confident I'm OK there. The certificates work fine
when installed on a Cisco ACS server.
I also tried another set of certificates from Entrust, and received the
same exact errors. The only way I can get this configuration to work with
the new certificates is to use configuration #1, and not have the wireless
client validate the server cert. Obviously, not a solution.
Any help or suggestions are greatly appreciated.
EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
#EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem
[disabled] EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx
I get this error, which I would expect to receive without a chain cert in
the configuration and the client wanting to validate the server cert.
Tue Nov 2 12:02:35 2010: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576
Tue Nov 2 12:02:35 2010: DEBUG: EAP result: 1, EAP TTLS Handshake
unsuccessful: 23668: 1 - error:14094418:SSL
23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca Tue Nov 2 12:02:35 2010: INFO: Access rejected for tsd7notebook: EAP
TTLS Handshake unsuccessful: 23668: 1 - error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem
[enabled] EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx
Tue Nov 2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file
%D/certificates/cert/thawtekey.pem, 1: 23681: 1 - error:0B080074:x509
certificate routines:X509_check_private_key:key values mismatch
Thanks,
Steve
Stephen A Felicetti
Fox Chase Cancer Center
Director, Information Security
stephen.felicetti at fccc.edu
215-728-2956
Stephen A. Felicetti
2010-11-04 18:59:53 UTC
Permalink
Thanks for the response. But, I continue to get the "X509_check_private_key:key values mismatch" anytime I use the certificatechain configuration line. I've tried many combinations of certificates in the file, with all the same results.


On Nov 4, 2010, at 12:50 PM, Andrew D. Clark wrote:

I had trouble getting this to work as well. The problem turned out to be the
order of certificates in the chain. They usually come, from top to bottom in
the file, root CA, signing CA, your cert. It looks like the way Radiator
wants it is your cert, followed by the signing CA. Try reversing the order of
certs in your file and see if it works.

--
Andrew Clark
Post by Stephen A. Felicetti
Hello,
I'm currently running Radiator 4.7 on SUSE linux with OpenSSL 0.9.8h.
I've had this running for years without any problems (albeit different
versions). Now that I have to begin using Chain Certificates with my CA,
I'm stuck. I know for a fact that the my private key and server
certificate share the same modulus and exponent. The private key also
works fine. I was also given all the correct CA and Chain certificates
from Thawte, so I'm confident I'm OK there. The certificates work fine
when installed on a Cisco ACS server.
I also tried another set of certificates from Entrust, and received the
same exact errors. The only way I can get this configuration to work with
the new certificates is to use configuration #1, and not have the wireless
client validate the server cert. Obviously, not a solution.
Any help or suggestions are greatly appreciated.
EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
#EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem
[disabled] EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx
I get this error, which I would expect to receive without a chain cert in
the configuration and the client wanting to validate the server cert.
Tue Nov 2 12:02:35 2010: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576
Tue Nov 2 12:02:35 2010: DEBUG: EAP result: 1, EAP TTLS Handshake
unsuccessful: 23668: 1 - error:14094418:SSL
23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca Tue Nov 2 12:02:35 2010: INFO: Access rejected for tsd7notebook: EAP
TTLS Handshake unsuccessful: 23668: 1 - error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem
[enabled] EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx
Tue Nov 2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file
%D/certificates/cert/thawtekey.pem, 1: 23681: 1 - error:0B080074:x509
certificate routines:X509_check_private_key:key values mismatch
Thanks,
Steve
Stephen A Felicetti
Fox Chase Cancer Center
Director, Information Security
stephen.felicetti at fccc.edu
215-728-2956
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101104/e3278f9a/attachment.html
David Zych
2010-11-04 19:32:45 UTC
Permalink
Post by Stephen A. Felicetti
EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem [enabled]
EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx
Tue Nov 2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file %D/certificates/cert/thawtekey.pem, 1: 23681: 1 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I fought with this same issue and eventually discovered that the
Radiator documentation is misleading: including both an
EAPTLS_CertificateFile (for the server cert) and an
EAPTLS_CertificateChainFile (for the intermediate cert) does not work
because the underlying call to SSL_CTX_use_certificate_chain_file()
expects a *single* file that contains *all* of the necessary certs. The
error you're seeing now indicates that your private key doesn't match
the first cert in thawte.SSL123bundle.pem.

What you want to do is put them all in one file with yours on top:
cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem

and specify:
EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem

(do not include an EAPTLS_CertificateFile directive)

Hope this helps.
David
Stephen A. Felicetti
2010-11-04 20:20:18 UTC
Permalink
If I exclude the EAPTLS_CAFile, I get the following error:

Thu Nov 4 16:06:42 2010: ERR: TLS could not load_verify_locations , :
Thu Nov 4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise context
Thu Nov 4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could not initialise context
Thu Nov 4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS Could not initialise context

Thanks,
Steve
Post by Stephen A. Felicetti
EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem [enabled]
EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx
Tue Nov 2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file %D/certificates/cert/thawtekey.pem, 1: 23681: 1 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I fought with this same issue and eventually discovered that the
Radiator documentation is misleading: including both an
EAPTLS_CertificateFile (for the server cert) and an
EAPTLS_CertificateChainFile (for the intermediate cert) does not work
because the underlying call to SSL_CTX_use_certificate_chain_file()
expects a *single* file that contains *all* of the necessary certs. The
error you're seeing now indicates that your private key doesn't match
the first cert in thawte.SSL123bundle.pem.

What you want to do is put them all in one file with yours on top:
cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem

and specify:
EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem

(do not include an EAPTLS_CertificateFile directive)

Hope this helps.
David


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101104/4cea38b7/attachment-0001.html
David Zych
2010-11-04 21:21:35 UTC
Permalink
Post by Stephen A. Felicetti
Post by David Zych
I fought with this same issue and eventually discovered that the
Radiator documentation is misleading: including both an
EAPTLS_CertificateFile (for the server cert) and an
EAPTLS_CertificateChainFile (for the intermediate cert) does not work
because the underlying call to SSL_CTX_use_certificate_chain_file()
expects a *single* file that contains *all* of the necessary certs.
cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem
EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem
(do not include an EAPTLS_CertificateFile directive)
Thu Nov 4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise context
Thu Nov 4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could not initialise context
Thu Nov 4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS Could not initialise context
You still need to specify either a EAPTLS_CAFile or EAPTLS_CAPath (it
doesn't really mean much if you're not using client certs, but as you've
just discovered, TTLS can't initialize without the declaration).
Stephen A. Felicetti
2010-11-05 13:50:45 UTC
Permalink
Success!!!

David, Per your suggestion, I added: EAPTLS_CAPath %D/certificates/cert/ca
Andrew, Per your suggestion, I placed the server cert first inline in the chain cert file. So server cert first, then chain cert second.

Many thanks, Andrew and David
Post by Stephen A. Felicetti
Post by David Zych
I fought with this same issue and eventually discovered that the
Radiator documentation is misleading: including both an
EAPTLS_CertificateFile (for the server cert) and an
EAPTLS_CertificateChainFile (for the intermediate cert) does not work
because the underlying call to SSL_CTX_use_certificate_chain_file()
expects a *single* file that contains *all* of the necessary certs.
cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem
EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem
(do not include an EAPTLS_CertificateFile directive)
Thu Nov 4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise context
Thu Nov 4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could not initialise context
Thu Nov 4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS Could not initialise context
You still need to specify either a EAPTLS_CAFile or EAPTLS_CAPath (it
doesn't really mean much if you're not using client certs, but as you've
just discovered, TTLS can't initialize without the declaration).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101105/436cc171/attachment-0001.html
Loading...