cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: A.L.M.Buxey AT lboro.ac.uk
- To: Michele de Varda <michele.devarda AT unimi.it>
- Cc: cat-users AT geant.net
- Subject: Re: [cat-users] Problem with Linux Configuration Script
- Date: Fri, 14 Mar 2014 20:02:13 +0000
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
hi,
on connecting to your RADIUS server, a client is presented with the following:
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQ
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgw
MjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD
VQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ
2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaO
IG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNh
kcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khV
dWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
-----END CERTIFICATE-----
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQ
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgw
MjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD
VQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ
2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaO
IG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNh
kcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khV
dWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
-----END CERTIFICATE-----
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. -
For authorized use only/CN=VeriSign Class 3 Public Primary Certification
Authority - G5
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMTA4MDAwMDAwWhcN
MjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBW
ZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g
RzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70PbZmIVYc9g
DaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ0
23tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9
r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MU
CH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEG
A1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1Ud
DwEB/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93
d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoas
jY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w
PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYJYIZIAYb4QgQBBgpg
hkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUAA4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY
5eE43U68ZhjTresY8g3JbT5KlCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq
14lWAyMfs77oOghZtOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server
CA - G3
-----BEGIN CERTIFICATE-----
MIIGKTCCBRGgAwIBAgIQZBvoIM4CCBPzLU0tldZ+ZzANBgkqhkiG9w0BAQUFADCByjELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBh
dXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQ
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcN
MjAwMjA3MjM1OTU5WjCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1
c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVy
aVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmdacYvAV9IGaQQhZjxOdF8mfUdzasVLv/+NB3eDfxCjG
4615HycQmLi7IJfBKERBD+qpqFLPTU4bi7u1xHbZzFYG7rNVICreFY1xy1TIbxfNiQDk3P/h
wB9ocenHKS5+vDv85burJlSLZpDN9pK5MSSAvJ5s1fx+0uFLjNxC+kRLX/gYtS4w9D0SmNNi
BXNUppyiHb5SgzoHRsQ7AlYhv/JRT9CmmTnprqU/iZucff5NYAclIPe712mDK4KTQzfZg0Eb
awurSmaET0qO3n40mY5o1so5BptMs5pITRNGtFghBMT7oE2sLktiEuP7TfbJUQABH/weaoEq
OOC5T9YtRQIDAQABo4ICFTCCAhEwEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAEaTBnMGUG
C2CGSAGG+EUBBxcDMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9j
cHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAOBgNVHQ8B
Af8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUr
DgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEG
CmCGSAGG+EUBCAEwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52
ZXJpc2lnbi5jb20wNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20v
cGNhMy1nNS5jcmwwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFZlcmlTaWduTVBLSS0yLTcw
HQYDVR0OBBYEFNebfNgioBX33a1fzimbWMO8RgC1MB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ
80M5+gKvMzEzMA0GCSqGSIb3DQEBBQUAA4IBAQBxtX1zUkrd1000Ky6vlEalSVACT/gvF3Dy
E9wfIYaqwk98NzzURniuXXhv0bpavBCrWDbFjGIVRWAXIeLVQqh3oVXYQwRR9m66SOZdTLdE
0z6k1dYzmp8N5tdOlkSVWmzWoxZTDphDzqS4w2Z6BVxiEOgbEtt9LnZQ/9/XaxvMisxx+rNA
VnwzeneUW/ULU/sOX7xo+68q7jA3eRaTJX9NEP9X+79uOzMh3nnchhdZLUNkt6Zmh+q8lkYZ
GoaLb9e3SQBb26O/KZru99MzrqP0nkzKXmnUG623kHdq2FlveasB+lXwiiFm5WVu/XzT3x7r
fj8GkPsZC9MGAht4Q5mo
-----END CERTIFICATE-----
/C=IT/ST=Milano/L=Milano/O=Universita' degli Studi di Milano/OU=Div.
Telecomunicazioni/OU=For Intranet Use Only/CN=eduroam
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgIQQ3g0RHN6vi4+16Ul5gpYYjANBgkqhkiG9w0BAQUFADCBvDELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5h
dGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMDMxODAwMDAwMFoXDTE1MDMxOTIzNTk1OVow
ga4xCzAJBgNVBAYTAklUMQ8wDQYDVQQIEwZNaWxhbm8xDzANBgNVBAcUBk1pbGFubzEqMCgG
A1UEChQhVW5pdmVyc2l0YScgZGVnbGkgU3R1ZGkgZGkgTWlsYW5vMR8wHQYDVQQLFBZEaXYu
IFRlbGVjb211bmljYXppb25pMR4wHAYDVQQLFBVGb3IgSW50cmFuZXQgVXNlIE9ubHkxEDAO
BgNVBAMUB2VkdXJvYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1ONCQHA+X
d0cQM6EeAS5MJicKCi25kdYeQDAJgZY8L6TbaRsbusvPjd0GjpmSWh7Bo2D/dV/NH2XgbVC0
BJ8NjNNXxdQU5yOIUWi7QFqkThB9tbjc4OfedXZHxP6Q79iGFF52kT4w+KcdF2mAb9x42LTz
JLQRD1w4gnq67Du/Ccl/9g8i5BJWX7biANdPQ9SqILr3nGpZLAdaowqeHLAJsBIPbLhh9u5n
V4umGF6tf4JbzSrYd38qf/77PWsMX6BTr9MOXXuxuW39DdG4AJ71AgGMPO4iPbGw31BoosnJ
SRrOtQn+/0Lo2ITaqzsRrKYA1qk0S/LU3b2O82MkmNHtAgMBAAGjggF6MIIBdjASBgNVHREE
CzAJggdlZHVyb2FtMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsG
AQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAq
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaA
FNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRs
LUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDov
L1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEB
BQUAA4IBAQBafSU9pgfmW0hM3ub58qw/SFRHciyGi7GMNsdkGACMZ3vwtikwjicmfoLIagrL
AOwd3aq6Vf42P7/9BVB9W+07nmK4OZRTiI94Ax1tMpX7FCxSJrPZjKOiCifRZFmPO1g9w206
RrcGkVOIt2zD/yPIukL1eFUTyuOjZbNl7IR7xa8s02M7b8Q3FBj9uYJQFkn4lIJLGy7/ZO08
N3yGu7ONP2Kc8E9dNlK6CnAbzKSEwkXTbhK2pDIqfh03/BMHPHCdoS+a6ZqvooUrJnYHQA6Z
925SEGjX5EL0rh9HKYQEhPQej9I7Mjaym3OBnXuf/+m8dPil9yMb+37CrVnawueP
-----END CERTIFICATE-----
you seem to have a duplicate certificate in the chain (the first 2 are
identical)...and
that cert is not one that you've added to your profile it seems...
(/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority)
..the 3rd
cert you have added to your profile doesnt appear, at quick inspection, to be
in
the certificate presented by your RADIUS server....and the last one presented
by your RADIUS server doesnt appear to be in your profile.
what RADIUS platform? If e.g. FreeRADIUS, you can just copy the cert file
you serve
out from that server into your CAT profile (well, save file, upload it!).
ensure
your certs are in the order that they need to be - the closest to the server
first..then
first intermediate etc etc until the final one which is root. if you load the
RADIUS
server cert 'eduroam' into an SSL validation system you'll see the chain
and required cert trust (look at the cert on Windows as the default cert
viewer
is quite useful.
in fact...if i just add that first cert to the list of certs you provide in
your
profile chain then it validates fine! (if I dont add that, duplicated, cert,
then it fails eg
openssl verify -verbose -purpose sslserver -CAfile cert_test.der cert5.der
cert5.der: OK
thats how it should be...... but with your provided chain I have
openssl verify -verbose -purpose sslserver -CAfile cert_test.der cert5.der
cert5.der: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
error 2 at 2 depth lookup:unable to get issuer certificate
alan
- [cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Stefan Winter, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, A . L . M . Buxey, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script - correction, Tomasz Wolniewicz, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/15/2014
- Re: [cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/18/2014
- Re: [cat-users] Problem with Linux Configuration Script, Stefan Winter, 03/18/2014
- Re: [cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/18/2014
Archive powered by MHonArc 2.6.19.