Toralf Lund
2016-Sep-02 17:27 UTC
[CentOS] NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"
Hi, I'm trying to connect my CentOS 6.8 laptop to the wireless net at work, which is secured with WPA2 and AES. I've done this successfully in the past using NetworkManager, but a new safety feature was recently introduced: A CA certificate is required. After this, I've not been able to connect. I have a DER format file, whose path I've entered in CA certificate: in the NetworkManager security page, but apparently, this isn't enough; NetworkManager will try for a while, then pop up the security/login dialog again. I found the following in /var/log/wpa_supplicant.log, which I believe is related to this issue: CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/DC=com/DC=.../DC=.../CN=...' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/DC=com/DC=.../DC=.../CN=...' err='unable to get local issuer certificate' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed Note: I've removed some of the "DC=" info for privacy reasons, but what I'm seeing there, makes me think that the DER file has indeed been read. Maybe this means I have to provide additional certificate info somewhere, somehow, but what would be the exact nature of the data, and where do I put it? I googled for some of the error messages and found that others have had similar issues, but the feedback given to them left me none the wiser. Actually, wpa_supplicant.conf updates are mentioned in some cases, but they appear to be related to information that I thought would be provided by NetworkManager in this case. So, does anyone know more about this? What certificate or certificate configuration files should I need in addition to what's specified in the NetworkManager config? What else may be wrong? Any help will be appreciated. - Toralf
John Hodrien
2016-Sep-05 09:08 UTC
[CentOS] NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"
On Fri, 2 Sep 2016, Toralf Lund wrote:> Hi, > > I'm trying to connect my CentOS 6.8 laptop to the wireless net at work, which > is secured with WPA2 and AES. I've done this successfully in the past using > NetworkManager, but a new safety feature was recently introduced: A CA > certificate is required. After this, I've not been able to connect. I have a > DER format file, whose path I've entered inYou've definitely provided the correct CA certificate, and not accidentally provided the certificate itself? jh
Toralf Lund
2016-Sep-06 07:06 UTC
[CentOS] NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"
On 05/09/16 11:08, John Hodrien wrote:> On Fri, 2 Sep 2016, Toralf Lund wrote: > >> Hi, >> >> I'm trying to connect my CentOS 6.8 laptop to the wireless net at >> work, which is secured with WPA2 and AES. I've done this successfully >> in the past using NetworkManager, but a new safety feature was >> recently introduced: A CA certificate is required. After this, I've >> not been able to connect. I have a DER format file, whose path I've >> entered in > > You've definitely provided the correct CA certificate, and not > accidentally > provided the certificate itself?I think you're on to something, there. I actually used data exported from Windows, and I guess I ended up with (as you suggest) the "normal" certificate. Now I've switched to a "CA Root" .pem file for the authority, and the "Failed to load root certificates" message has gone away. But, I still get 'unable to get local issuer certificate'. Don't I need to provide the certificate itself, too? Where do I put it? - Toralf> > jh > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos&d=CwICAg&c=KV_I7O14pmwRcmAVyJ1eg4Jwb8Y2JAxuL5YgMGHpjcQ&r=Q0oqxzgUp3xCCIiJDwS-RbNDndQ-KZDhj8wwveNoqU4&m=hDFAl_9PwzTrtJ4iK0Gl_fCsQjTIRPf9m3FS8SChP98&s=tNwTx4wHYKAXLwXOqOp7QWRJM1KEoQuOdt37B97jACE&e=
Possibly Parallel Threads
- NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"
- NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"
- Samba 4 and freeradius
- Fwd: ntlm_auth and freeradius
- Block internet access for some users on the LAN ?