Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] The server certificate could not be verified to the root CA you configured in your profile!

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] The server certificate could not be verified to the root CA you configured in your profile!


Chronological Thread 
  • From: Torkil Svensgaard <torkil AT drcmr.dk>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: cat-users AT geant.net
  • Subject: Re: [cat-users] The server certificate could not be verified to the root CA you configured in your profile!
  • Date: Thu, 3 Sep 2015 08:21:56 +0200
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

On 09/03/2015 05:51 AM, Stefan Winter wrote:
Hello,

I'm in the process of setting up my institutions IdP and I'm getting
the following error when doing the live login test:

"
Test FAILED: authentication succeded. Some configuration errors were
observed; the list is below.
...
The server certificate could not be verified to the root CA you
configured in your profile!
"

I'm using self signed keys and the server certificate seems to verify
as it should:

"
# openssl verify -CAfile ca.pem server.pem
server.pem: OK
"

Is the error misleading or did I misunderstand something?

We haven't had false alerts with that one yet, so I'd think there is
something wrong/a bit special with your setup.

Did you mean to say self-signed *certificates*? I don't know what
self-signed *keys* would be.

Indeed

If you did mean self-signed certs - that term is usually used when the
CA cert is identical to the server certificate. You have two different
file names in your command-line. So, is the CA different from the server?

As you may have guessed I'm not that familiar with certificates, so self-signed might not be the right word. I thought I created a CA and used that to sign a server certificate (filching commands from the bootstrap script that comes with Freeradius).

Did you have any other errors or warnings besides this one?

Yes,

Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some configuration errors were observed; the list is below.

The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.
At least one certificate did not contain any BasicConstraints extension; which makes it unclear if it's a CA certificate or end-entity certificate. At least Mac OS X 10.8 (Mountain Lion) will not validate this certificate for EAP purposes!
The server certificate did not include a CRL Distribution Point, creating compatibility problems with Windows Phone 8.
The server certificate could not be verified to the root CA you configured in your profile!
The configured EAP server name matches either the CN or a subjectAltName:DNS of the incoming certificate; best current practice is that the certificate should contain the name in BOTH places.

I believe I will be able to fix those since the problems are described in your documentation, but I was unsure about the CA one.

Finally, it would help if you could attach the CA cert and server cert
so I can run some tests of my own

Here you go.

Thanks,

Torkil

--
Torkil Svensgaard
Sysadmin
MR-Forskningssektionen, afs. 714
DRCMR, Danish Research Centre for Magnetic Resonance
Hvidovre Hospital
Kettegård Allé 30
DK-2650 Hvidovre
Denmark
Tel: +45 386 22828
E-mail:
torkil AT drcmr.dk

Attachment: ca.pem
Description: application/x509-ca-cert

Attachment: server.pem
Description: application/x509-ca-cert




Archive powered by MHonArc 2.6.19.

Top of Page