[CentOS] NetworkManger wireless issues - "Failed to load root certificates"/"unable to get local issuer certificate"

Toralf Lund

toralf.lund at pgs.com
Fri Sep 2 17:27:54 UTC 2016


Hi,

I'm trying to connect my CentOS 6.8 laptop to the wireless net at work, 
which is secured with WPA2 and AES. I've done this successfully in the 
past using NetworkManager, but a new safety feature was recently 
introduced: A CA certificate is required. After this, I've not been able 
to connect. I have a DER format file, whose path I've entered in

CA certificate:

in the NetworkManager security page, but apparently, this isn't enough; 
NetworkManager will try for a while, then pop up the security/login 
dialog again. I found the following in /var/log/wpa_supplicant.log, 
which I believe is related to this issue:

CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
OpenSSL: tls_connection_ca_cert - Failed to load root certificates 
error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
TLS: Certificate verification failed, error 20 (unable to get local 
issuer certificate) depth 1 for '/DC=com/DC=.../DC=.../CN=...'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 
subject='/DC=com/DC=.../DC=.../CN=...' err='unable to get local issuer 
certificate'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Note: I've removed some of the "DC=" info for privacy reasons, but what 
I'm seeing there, makes me think that the DER file has indeed been read.

Maybe this means I have to provide additional certificate info 
somewhere, somehow, but what would be the exact nature of the data, and 
where do I put it? I googled for some of the error messages and found 
that others have had similar issues, but the feedback given to them left 
me none the wiser. Actually, wpa_supplicant.conf updates are mentioned 
in some cases, but they appear to be related to information that I 
thought would be provided by NetworkManager in this case.

So, does anyone know more about this? What certificate or certificate 
configuration files should I need in addition to what's specified in the 
NetworkManager config? What else may be wrong?

Any help will be appreciated.

- Toralf






More information about the CentOS mailing list