Certificate verification failed, error 19 (self signed certificate in certificate chain)
j at w1.fi
Sun Apr 1 05:29:10 EDT 2012
On Mon, Mar 12, 2012 at 03:40:09PM +0000, Michael Zintakis wrote:
> Initially - when a client tries to connect for the first time - this
> works without any glitches and the client is authenticated first time.
> After exactly 60 minutes, however, the wpa_supplicant tries to
> "re-negotiate" the connection for some reason and I get the above error,
> after which the client is briefly disconnected!
> When wpa_supplicant tries to re-authenticate again approximately 30
> seconds after the above disconnection, the authentication succeeds
> (using the same certificate/credentials which were rejected
> previously!). Judging by the wpa_supplicant logs, a "handshake" is made
> approximately every 10 minutes and this always succeeds.
That sounds quite strange.. Would it be possible to get a detailed debug
log (-ddt on wpa_supplicant command line) showing this?
> 2. I have "disabled" the "ca_cert" parameter in the wpa_supplicant.conf
> file - then re-authentication works, but the CA certificate is
> completely ignored (I have a subject match in my wpa_supplicant.conf
> file and no matter what is put there, wpa_supplicant completely ignores
> it when ca_cert parameter is disabled).
There is no point in validating subject match if you don't validate the
server certificate in the first place..
> As the ca_cert is a certificate from a certificate authority, I expect
> the certificate chain to be 1 certificate deep, thus the certificate in
> question is always self-signed. Why is the wpa_supplicant then
> complaining, given also the fact that when it tries the same process 30
> seconds later - it succeeds?! Have I missed something in my setup?
This should obviously not happen and it sounds like the authentication
server would be doing something very strange here.. Anyway, I would need
to see more debug information to see what exactly is the difference
between those two authentication attempts.
> Would it be possible to either a) fix the above error and stay connected
> for longer than 60 minutes at a time; or b) extend this re-negotiation
> time from 60 minutes to a bit longer than that so that the client does
> not get disconnected every hour?
That time is configured on the AP and/or authentication server..
Depending on what the real issue is, it may or may not be possible to
fix it in wpa_supplicant.
> W/wpa_supplicant( 582): TLS: Certificate verification failed, error 19
> (self signed certificate in certificate chain) depth 1 for
This would indicate that the certificate used by the authentication
server was not trusted at this point.. It is strange if this changes
between the re-authentication and the following authentication after
Jouni Malinen PGP id EFC895FA
More information about the HostAP