0

I have an authentication server based on certificate. The previous roll of certificate (1 CA + 1 Server + 1 Client) worked perfectly. A few days ago the client certificate expired and I had to generate a new one. I encountered the following problem so I generated once again all of the certificates (CA, Server and Client) but the problem still remain.

The server hold the CA + Server + Client certificates. The Client hold the CA + Client certificates.

Here is the error I the client get when trying to authenticate (using wpasupplicant) :

root@HP:/etc/wpa_supplicant# wpa_supplicant -c certs.conf -D wired -i enp63s0
  Successfully initialized wpa_supplicant
  enp63s0: Associated with 01:80:c2:00:00:03
  enp63s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
  enp6350: CTRL-EVENT-EAP-STARTED EAP authentication started
  enp63s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
  enp6350: CTRL-EVENT-EAP-METHOD EAP vendor e method 13 (TLS) selected
  enp63s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc. /emailAddress=admin@example.org/CN=Example certificate Authority' hash=71d392c4f64b1dd18d378c57fea2f2673a26ad4a93974f70e5c1a44709f89ab3
  enp6350: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/0=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org' hash=c6c4425f12a6540ca9327769d50e95de32df60aac46c0dcd
54291db880192a5
> SSL: SSL3 alert: write (local SSL3 detected an error): fatal:decrypt error
> OpenSSL: openssl_handshake - SSL_connect error:0407E068:rsa routines:RSA_verify_PKCS1_PSS_mgf1:bad signature
> OpenSSL: pending error: error:1416D07B:SSL routines:tls_process_key_exchange: bad signature
  enp6350: CTRL-EVENT-EAP-FAILURE EAP authentication failed
  Cenp6350: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
  enp6350: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10 reason=AUTH_FAILED
  enp63s0: CTRL-EVENT-TERMINATING
root@HP:/etc/wpa_supplicant#

The error lines are at the ">".

I tested the fingerprint of the certificates stored on the client and they are the same as the one on the server.

Do you know where the problem come from ?

Edit : Can you explain to me what a bad signature mean ? I wasn't able to find it

molik
  • 69
  • 2
  • 11
  • Are you using an intermediate certificate? In that case I'm guessing it is due to it doesn't know which root certificate have signed the intermediate certificate. – Lasse Michael Mølgaard Oct 25 '21 at 14:37
  • No there isn't any intermediate certificates. I found what caused the problem and it's a bit embarassing. The virtual machine running the server appear to dont take the host date at boot, the server was stuck in the past. The authentication work now. – molik Oct 26 '21 at 06:57

0 Answers0