CentOS - Sep 2016 - NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"

Hi,

I'm trying to connect my CentOS 6.8 laptop to the wireless net at work, 
which is secured with WPA2 and AES. I've done this successfully in the 
past using NetworkManager, but a new safety feature was recently 
introduced: A CA certificate is required. After this, I've not been able 
to connect. I have a DER format file, whose path I've entered in

CA certificate:

in the NetworkManager security page, but apparently, this isn't enough; 
NetworkManager will try for a while, then pop up the security/login 
dialog again. I found the following in /var/log/wpa_supplicant.log, 
which I believe is related to this issue:

CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
OpenSSL: tls_connection_ca_cert - Failed to load root certificates 
error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
TLS: Certificate verification failed, error 20 (unable to get local 
issuer certificate) depth 1 for '/DC=com/DC=.../DC=.../CN=...'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 
subject='/DC=com/DC=.../DC=.../CN=...' err='unable to get local
issuer
certificate'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Note: I've removed some of the "DC=" info for privacy reasons, but
what
I'm seeing there, makes me think that the DER file has indeed been read.

Maybe this means I have to provide additional certificate info 
somewhere, somehow, but what would be the exact nature of the data, and 
where do I put it? I googled for some of the error messages and found 
that others have had similar issues, but the feedback given to them left 
me none the wiser. Actually, wpa_supplicant.conf updates are mentioned 
in some cases, but they appear to be related to information that I 
thought would be provided by NetworkManager in this case.

So, does anyone know more about this? What certificate or certificate 
configuration files should I need in addition to what's specified in the 
NetworkManager config? What else may be wrong?

Any help will be appreciated.

- Toralf

On Fri, 2 Sep 2016, Toralf Lund wrote:
> Hi,
>
> I'm trying to connect my CentOS 6.8 laptop to the wireless net at work,
which
> is secured with WPA2 and AES. I've done this successfully in the past
using
> NetworkManager, but a new safety feature was recently introduced: A CA 
> certificate is required. After this, I've not been able to connect. I
have a
> DER format file, whose path I've entered in
You've definitely provided the correct CA certificate, and not accidentally
provided the certificate itself?

jh

On 05/09/16 11:08, John Hodrien wrote:
> On Fri, 2 Sep 2016, Toralf Lund wrote:
>
>> Hi,
>>
>> I'm trying to connect my CentOS 6.8 laptop to the wireless net at
>> work, which is secured with WPA2 and AES. I've done this
successfully
>> in the past using NetworkManager, but a new safety feature was
>> recently introduced: A CA certificate is required. After this, I've
>> not been able to connect. I have a DER format file, whose path I've
>> entered in
>
> You've definitely provided the correct CA certificate, and not
> accidentally
> provided the certificate itself?
I think you're on to something, there. I actually used data exported 
from Windows, and I guess I ended up with (as you suggest) the
"normal"
certificate. Now I've switched to a "CA Root" .pem file for the 
authority, and the "Failed to load root certificates" message has gone
away. But, I still get 'unable to get local issuer certificate'.

Don't I need to provide the certificate itself, too? Where do I put it?

- Toralf

>
> jh
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos&d=CwICAg&c=KV_I7O14pmwRcmAVyJ1eg4Jwb8Y2JAxuL5YgMGHpjcQ&r=Q0oqxzgUp3xCCIiJDwS-RbNDndQ-KZDhj8wwveNoqU4&m=hDFAl_9PwzTrtJ4iK0Gl_fCsQjTIRPf9m3FS8SChP98&s=tNwTx4wHYKAXLwXOqOp7QWRJM1KEoQuOdt37B97jACE&e=