Bug 498323 - /etc/pki/tls/certs/ca-bundle.crt does not work with WPA2 enterprise wireless and NetworkManager. Worked on initial 10 release and continues to version 11.
/etc/pki/tls/certs/ca-bundle.crt does not work with WPA2 enterprise wireless ...
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-04-29 16:54 EDT by Robert Freeman-Day
Modified: 2010-06-29 09:16 EDT (History)
7 users (show)

See Also:
Fixed In Version: 12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-28 08:16:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
failed connection with unmodified /etc/pki/tls/certs/ca-bundle.crt (607 bytes, text/plain)
2009-05-06 13:43 EDT, Robert Freeman-Day
no flags Details
successful connection with modified /etc/pki/tls/certs/ca-bundle.crt (1010 bytes, text/plain)
2009-05-06 13:44 EDT, Robert Freeman-Day
no flags Details
Unmodified ca-bundle.crt (545.00 KB, text/plain)
2009-05-06 13:46 EDT, Robert Freeman-Day
no flags Details
cert bundle with Thawte Premeum Server CA moved to top of file (545.00 KB, text/plain)
2009-05-06 13:48 EDT, Robert Freeman-Day
no flags Details

  None (edit)
Description Robert Freeman-Day 2009-04-29 16:54:54 EDT
Description of problem:  

When using ca-certificates provided cert.pm file as per this documentation for access to WPA2 enterprise wireless - http://kb.iu.edu/data/axsv.html - now keeps "asking for new secrets" according to /var/log/messages and re-prompting for wireless network secrets.  This procedure did work when Fedora 10 was first released.  I do not have access to the original /etc/pki/tls/cert.pem file (and I also know it is a soft link to /etc/pki/tls/certs/ca-bundle.crt).  Has this file changed in some way?

I can go into Firefox and export the Thawte ca mentioned in the documentation link and this allows me to connect as well as downloading the CA from Thawte directly.

How reproducible:

Reliably reproduced from multiple machines.
Comment 1 Thomas Lee 2009-04-30 10:26:47 EDT
I've experienced this too (actually I am the one who called the OP's attention to this problem).  It is exactly as he says, although I was not attempting to do this when Fedora 10 first released, so I had not seen it work correctly then.

Downloading the Premium Server CA certificate directly from Thawte and having it in a file by itself works.  Using /etc/pki/tls/cert.pem from the ca-certificates RPM (a symbolic link to /etc/pki/tls/certs/ca-bundle.crt) does not.  This is despite the fact that the Thawte certificate appears to be one of those in ca-bundle.crt.  I am not certain whether the problem is in the ca-certificates package or in NetworkManager, and I am not sure whether it is because the certificate is embedded in a bundled file or because cert.pem is a symlink.

But putting the Thawte certificate in a regular (non-symlink) file, by itself, and directing NetworkManager to use that certificate, works.  Without this workaround, it is not possible to connect to the wireless service in question, which does use WPA2 enterprise security, with PEAP v0 and MSCHAPv2.
Comment 2 Robert Freeman-Day 2009-05-06 11:11:07 EDT
Posted update to another bug I was following regarding this.


Why can't the CAs be separated into separate pem files instead of a big bundle
like SUSE and the deb based distros?
Comment 3 Robert Freeman-Day 2009-05-06 13:43:36 EDT
Created attachment 342688 [details]
failed connection with unmodified /etc/pki/tls/certs/ca-bundle.crt
Comment 4 Robert Freeman-Day 2009-05-06 13:44:22 EDT
Created attachment 342689 [details]
successful connection with modified /etc/pki/tls/certs/ca-bundle.crt
Comment 5 Robert Freeman-Day 2009-05-06 13:46:02 EDT
Created attachment 342690 [details]
Unmodified ca-bundle.crt
Comment 6 Robert Freeman-Day 2009-05-06 13:48:05 EDT
Created attachment 342691 [details]
cert bundle with Thawte Premeum Server CA moved to top of file
Comment 7 Robert Freeman-Day 2009-05-06 13:57:56 EDT
Our wireless setup is utilizing Thawte Premium Server as its CA.  I compared it to an Ubuntu install and they were the same.  I decided to test to see if the monolithic bundle may not be able to be parsed down to the CA I wanted, so I edited /etc/pki/tls/certs/ca-bundle.crt and moved the Thawte Premium Server CA to the top (see attachments).  When doing this, I was able to connect without issue (see attachments).  

I see some issues with this.  First, that there is some kind of corruption/change in /etc/pki/tls/certs/ca-bundle.crt that will not let wpa_supplicant get down to the CA.  Second, if the CAs were separated out with their own file, this would not have been a problem.  Third, Network Manager does not seem to be able to parse out a file so that it finds the CA requested.

Is there a way to look into this?  As it stands, people at my university cannot connect wirelessly without modification.
Comment 8 Robert Freeman-Day 2009-06-10 09:04:39 EDT
This bug is still in existence in Fedora 11.  Updating info to reflect.
Comment 9 Mike C 2009-08-20 12:38:46 EDT
I will soon need to make wireless connections to our institution using the Equifax cert - I notice that this is included in the ca-certificates package, but also is available as an explicit file at
so the certificate in question in my case can be referenced directly. However presumably the same issue as in this bz will apply.
Comment 10 Robert Freeman-Day 2009-08-20 13:59:06 EDT
You may be able to point to another file, and our work around is getting the cert directly from Thawte, but that does not change the fact that this issue exists.  

I still want to know why this cannot be broken up into separate files to prevent cases like this when an app cannot parse the monolithic file.

I would be curious, Mike, if you are able to utilize the ca-bundle.crt when you roll out your wireless setup, so please report back on this bug report.
Comment 11 Mike C 2009-08-20 15:56:43 EDT
Our changeover of the authentication for our institution system to using the Equifax cert is due to happen from 25th August, so I won't be able to check that until then. Once the authentication change has happened I will try it out and report back.
Comment 12 Robert Freeman-Day 2009-11-25 15:25:13 EST
This issue is fixed for me in Fedora 12.  It is using ca-certificates-2009-2.fc12 with /etc/pki/tls/certs/ca-bundle.crt version 1.53.

Fedora 11 which still has the problem is using ca-certificates-2008-8 with /etc/pki/tls/certs/ca-bundle.crt version 1.49.

Fedora 10 and RHEL are also using some kind of older version of the ca-certificates package as well and exhibiting this issue.  

Can there be a way to push updates to RHEL/10/11 to get this fix pushed through.  I know it is a simple package and workarounds can be easily found, however if the CA bundle is corrupt in any way other services that need this file could be impacted besides WPA2 enterprise wireless.

As a final note, I am very disappointed with the quality assurance and the assignee on this.  The end users heard absolutely NOTHING from them.  Seeing as this impacts an enterprise OS as well as Fedora, this does not bode well.  It is a simple bug and could have been simply fixed on the packagers end in my opinion.

Please fix this in RHEL/10/11.
Comment 13 Dan Williams 2010-04-06 16:07:42 EDT
From the NetworkManager side, NM 0.8 (available in F12+) has been modified to better handle large certificate bundles.  RHEL 5, F10, and F11 use NM 0.7, which does not have the fix and therefore may work badly with large certificate bundles.
Comment 14 Bug Zapper 2010-04-27 10:00:39 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 15 Bug Zapper 2010-06-28 08:16:19 EDT
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 16 Robert Freeman-Day 2010-06-29 08:49:12 EDT
Do you guys even look at these bug reports?!?  Do you read the comment threads???

This fix is not backported to your currently supported enterprise OS.  There are flags asking for more info that were not answered nor cleared.  This is just bad.  I am very disappointed in your triaging.  I see Dan Williams said it was fixed in 12, but your Enterprise OS needs this fix as well.
Comment 17 Tomas Mraz 2010-06-29 09:16:00 EDT
This is a Fedora bug report. For Red Hat Enterprise Linux support requests, please contact the Red Hat support.


Note You need to log in before you can comment on or make changes to this bug.