CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/projects/gg/freeradius/homelab/20250726-tls_certs_peap.md
Petar Cubela 584265c22c 20250907
2025-09-07 13:07:01 +02:00

134 lines
4.9 KiB
Markdown
Raw Permalink Blame History

The error **"TLS Alert: fatal: unknown CA"** indicates that the client (your phone) is trying to establish a **TLS connection** with the FreeRADIUS server, but it **cannot verify the server's certificate** because the **CA (Certificate Authority)** is not trusted. This is a **common issue when using PEAP (Protected Extensible Authentication Protocol)** with TLS. Let's fix it step by step.
---
### **1. Understand the Root Cause**
- **PEAP (PEAP-MSCHAPv2)** requires **TLS** for secure communication.
- Your phone is trying to connect to the FreeRADIUS server using **PEAP**, but the server is not presenting a **trusted certificate**.
- The client (phone) is not trusting the **CA** that signed the server's certificate.
---
### **2. Fix: Configure TLS for PEAP on FreeRADIUS**
You need to **set up a valid TLS certificate** for the FreeRADIUS server. Here's how:
#### **A. Generate a Self-Signed Certificate (For Testing)**
If you're in a testing environment, you can create a **self-signed certificate**. This will work for testing but won't be trusted by phones (unless manually added).
1. **Generate a private key and certificate:**
```bash
openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes
```
- Replace `your_radius_server.crt` and `your_radius_server.key` with your server's certificate and key.
2. **Set correct permissions:**
```bash
chown -R freeradius:freeradius /etc/freeradius/certs/
chmod 600 /etc/freeradius/certs/your_radius_server.key
chmod 644 /etc/freeradius/certs/your_radius_server.crt
```
#### **B. Configure FreeRADIUS to Use the Certificate**
Update `/etc/freeradius/eap.conf` to use the certificate:
```ini
eap {
default_eap_type = peap
timer_expire = 60
max_sessions = 256
peap {
# Path to your certificate and key
certificate = /etc/freeradius/certs/your_radius_server.crt
private_key = /etc/freeradius/certs/your_radius_server.key
ca_list = /etc/freeradius/certs/ca.crt # Optional: If you're using a chain
dh_file = /etc/freeradius/certs/dh2048.pem # Optional: Diffie-Hellman parameters
}
}
```
- If you're using a **self-signed certificate**, skip the `ca_list` line.
- If you're using a **trusted CA**, ensure the `ca_list` contains the CA's certificate.
#### **C. Generate Diffie-Hellman Parameters (Optional)**
For stronger TLS security:
```bash
openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048
```
---
### **3. Ensure the Client (Phone) Trusts the Certificate**
If you're using a **self-signed certificate**, the phone must trust it manually. Here's how:
#### **A. Export the Server's Certificate**
1. Use `openssl` to extract the certificate from the `.crt` file:
```bash
openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der
```
2. Convert it to PEM format (optional):
```bash
openssl x509 -in your_radius_server.crt -out your_radius_server.pem
```
#### **B. Install the Certificate on the Phone**
- **Android**:
1. Go to **Settings > Security > Trusted Credentials > User Certificates**.
2. Import the `.der` or `.pem` file.
- **iOS**:
1. Go to **Settings > General > About > Certificate Trust Settings**.
2. Add the certificate to the trusted list (may require a certificate from a trusted CA).
#### **C. Use a Trusted CA (Recommended for Production)**
If you're using a certificate from a **trusted CA** (e.g., Let's Encrypt), ensure:
- The certificate is correctly installed.
- The **CA chain** is complete (e.g., intermediate certificates are included).
- The phone's trust store includes the CA's certificate.
---
### **4. Verify FreeRADIUS TLS Configuration**
1. **Restart FreeRADIUS**:
```bash
systemctl restart freeradius
```
2. **Check Logs for TLS Errors**:
```bash
tail -f /var/log/freeradius/radius.log
```
Look for:
- `TLS: Server certificate is not trusted`
- `TLS: No trusted certificate found`
3. **Test with `radtest`** (Ensure PEAP is working):
```bash
radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET
```
---
### **5. Advanced: Debug TLS Handshake**
If the issue persists, enable **TLS debugging** in `eap.conf`:
```ini
eap {
debug = yes
...
}
```
Then check the logs for detailed TLS handshake errors.
---
### **Summary of Fixes**
| Step | Action |
|------|--------|
| 1 | Generate a valid TLS certificate (self-signed or trusted CA) |
| 2 | Configure FreeRADIUS to use the certificate in `eap.conf` |
| 3 | Install the certificate on the phone (or ensure the CA is trusted) |
| 4 | Restart FreeRADIUS and verify TLS is working |
| 5 | Debug with `debug = yes` if issues persist |
After these steps, the **"unknown CA"** error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀
Reference in New Issue View Git Blame Copy Permalink