Certificate verification failed, error 19 (self signed certificate in certificate chain)

Michael Zintakis michael.zintakis at googlemail.com
Sun Apr 1 11:43:06 EDT 2012

> That sounds quite strange.. Would it be possible to get a detailed debug
> log (-ddt on wpa_supplicant command line) showing this?
I am going to have some problems with that, because Android is running 
the wpa_supplicant with a fixed command line - 
"/system/bin/wpa_supplicant -Dtiwlan0 -itiwlan0 
-c/data/misc/wifi/wpa_supplicant.conf -q" - and when I try to run this 
from the command line (via adb) I fail, quite miserably!

I also tried to do this via wpa_cli, but every time I execute "wpa_cli 
level XX", where XX is a number (I tried 2,5,99) I get this:

sh-4.1# wpa_cli level 2
Using interface 'tiwlan0'

On the slightly bright side, I am able to reproduce the problem I 
described previously quite easily by executing "wpa_cli reassociate" 
once I am connected - I get these errors instantly in the android logs, 
but the frustrating thing is that I can't alter the debug level to see more!

As for the 60-minutes re-association time, I think I found what this is: 
when I execute "wpa_cli status verbose" I get this:

Using interface 'tiwlan0'
key_mgmt=WPA2/IEEE 802.1X/EAP
Supplicant PAE state=AUTHENTICATED
Supplicant Backend state=IDLE
selectedMethod=21 (EAP-TTLS)
EAP-TTLSv0 Phase2 method=EAP-TLS

Maybe it is the heldPeriod?

>> As the ca_cert is a certificate from a certificate authority, I expect 
>> the certificate chain to be 1 certificate deep, thus the certificate in 
>> question is always self-signed. Why is the wpa_supplicant then 
>> complaining, given also the fact that when it tries the same process 30 
>> seconds later - it succeeds?! Have I missed something in my setup?
> This should obviously not happen and it sounds like the authentication
> server would be doing something very strange here.. Anyway, I would need
> to see more debug information to see what exactly is the difference
> between those two authentication attempts.
I don't think it is the server - I think it is the client as I get the 
error from this particular supplicant/client. When I use another one 
("proper" PC with the same certificate/keys/credentials, but different 
id value) I have no such problems.

>> Would it be possible to either a) fix the above error and stay connected 
>> for longer than 60 minutes at a time; or b) extend this re-negotiation 
>> time from 60 minutes to a bit longer than that so that the client does 
>> not get disconnected every hour?
> That time is configured on the AP and/or authentication server..
> Depending on what the real issue is, it may or may not be possible to
> fix it in wpa_supplicant.
I see! Would it be possible to find out where this is configured?

>> W/wpa_supplicant(  582): TLS: Certificate verification failed, error 19 
>> (self signed certificate in certificate chain) depth 1 for 
>> '/C=DE/ST=XX/L=XX/O=XX/emailAddress=XX/CN=XX'
> This would indicate that the certificate used by the authentication
> server was not trusted at this point.. It is strange if this changes
> between the re-authentication and the following authentication after
> reassociation.
The initial association - when I am not connected at all - is OK without 
problems, the above error only happens when wpa_supplicant is trying to 
re-associate after exactly 60 minutes. If I disconnect and reconnect 
just before the end of that period I don't get this error. Very strange!

More information about the HostAP mailing list