April 11, 2009 at 4:03 pm #41627
I have Zeroshell running in a VM and I have it configured as a Radius server to authenticate my WiFi network. I am using EAP-TLS with certificates for the authentication and up till today it was working fine. I can authenticate with PEAP with no problem but when I try authenticating with the certificate I get this error:
23:12:56 –> verify error:num=12:CRL has expired
23:12:56 TLS Alert write:fatal:certificate expired
23:12:56 TLS_accept:error in SSLv3 read client certificate B
23:12:56 rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
23:12:56 rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
23:12:56 Login incorrect: [marilee] (from client DD-WRT port 61 cli 001a73dd9777)
I have renewed the client certificate and reimported it to the laptop but that had no effect. I don’t think the server certificate is broken because PEAP works fine. I don’t see anywhere to renew the CRL, other than to revoke and renew the CA certificate. Any help would be appreciated.
One Final thing I did see in another post about problems with clock syncronization. So I checked the system clock and the Zeroshell VM clock and compared with the laptop and its all within a couple of seconds. So I don’t think there is a time problem.May 7, 2009 at 2:38 am #48006
I’ll never understand why anyone would use this encryption who doesn’t work for the government or an armed forces group.
Certificate based authentication can get really tricky.
First check your CRL in zeroshell.
Check your host certificates valid NOT BEFORE:NOT AFTER DATES
Check your dates and times on your test machines PC/Server
Check your certificate stores to verify the certificates are installed in the right places
Check for duplicates certificates with similar names that may cause conflicts
Recreate your vpn connectoid with a different name
Try unchecking simple certificate selection and specify your own during connection start
Try unchecking Validate server certificate to identify if it’s a certificate challenge error
EAP-MD5, LEAP, EAP-TLS, EAP-TTLS, PEAP are only fun to have when they’re working right.
More information is needed to concentrate troubleshooting.January 12, 2013 at 2:02 am #48007
I know this is an old thread, but I recently experienced the same problem. I’m running 2.0.RC1.
Examining the CRL showed that it had recently been renewed around the time that it started to be reported as expired. Somehow the renewal of the CRL did not get communicated to the running instance of the RADIUS server.
I found the simplest workaround is to disable and then enable the RADIUS service, which I guess caused the renewed CRL to be read.
You must be logged in to reply to this topic.