Red Hat Bugzilla – Bug 429352
can't connect to secure wireless because cert doesn't verify due to failure to add ca_cert_blob to certificate store
Last modified: 2009-01-09 00:48:31 EST
Description of problem: A secure wireless network that I was able to connect to using Fedora 7 doesn't work anymore with Fedora 8. (The options in the dialog are a bit different between the two, so I'm not entirely sure if I'm entering everything correctly. However, the error in the log makes me pretty confident that something is wrong.) Version-Release number of selected component (if applicable): NetworkManager-0.7.0-0.6.6.svn3138.fc8 wpa_supplicant-0.5.7-21.fc8 How reproducible: always Steps to Reproduce: 1. Connect to office wireless here by choosing from nm-applet menu Actual results: The first time it pops up a dialog prompting for user, password, and various other options (but the dialog doesn't come up again after repeated failures). I choose /etc/pki/tls/cert.pem as the CA cert (it does contain the XRamp root, which is the root needed), switch to MSCHAPv2, and enter my username and password. (There doesn't seem to be a PEAP option anymore, but the SSL Tunnel seems to ask for the information I expect it to ask for.) However, it fails to connect. In /var/log/wpa_supplicant.log I see: OpenSSL: tls_connection_ca_cert - Failed to add ca_cert_blob to certificate store error:0B07C065:lib(11):func(124):reason(101) TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '[[...omitted...]]' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA It seems like the SSL connection is failing to be initiated because of the "Failed to add ca_cert_blob to certificate store error". Expected results: Connects to wireless.
Is /etc/pki/tls/cert.pem a cert chain?
It's openssl's root cert list: $ rpm -q -f /etc/pki/tls/cert.pem openssl-0.9.8b-17.fc8 The wireless network I'm connecting to has a valid hostname and chains to the XRamp root.
But with current versions the error message is now more useful: CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected OpenSSL: tls_connection_ca_cert - Failed to add ca_cert_blob to certificate store error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Landings RADIUS Server/CN=ol-radius01.office.mozilla.org' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed
What version of the wpa_supplicant RPM do you have installed?
wpa_supplicant-0.5.7-21.fc8 (still as I said in comment 0).
I'm getting a similar error with Fedora 9 rc + NetworkManager-0.7.0-0.9.3.svn3623.fc9.x86_64 in /var/log/wpa_supplicant.log: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed I did add /etc/pki/tls/cert.pem with NetworkManager's gui to the profile, which apparently is used: May 8 15:53:24 localhost NetworkManager: <info> Config: added 'ca_cert' value 'blob://-org-freedesktop-NetworkManagerSettings-11-ca_cert' But perhaps some data is missing? As a root CA, Thawte should be allowed to self-sign, no? Everything works fine if I use wpa_supplicant manually (with ca_cert="/etc/pki/tls/cert.pem") instead of NetworkManager.
This message is a reminder that Fedora 8 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 8. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '8'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 8's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 8 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.