Certificate verification failed, error 19 (self signed certificate in certificate chain)
michael.zintakis at googlemail.com
Sun Apr 1 11:43:06 EDT 2012
> That sounds quite strange.. Would it be possible to get a detailed debug
> log (-ddt on wpa_supplicant command line) showing this?
I am going to have some problems with that, because Android is running
the wpa_supplicant with a fixed command line -
"/system/bin/wpa_supplicant -Dtiwlan0 -itiwlan0
-c/data/misc/wifi/wpa_supplicant.conf -q" - and when I try to run this
from the command line (via adb) I fail, quite miserably!
I also tried to do this via wpa_cli, but every time I execute "wpa_cli
level XX", where XX is a number (I tried 2,5,99) I get this:
sh-4.1# wpa_cli level 2
Using interface 'tiwlan0'
On the slightly bright side, I am able to reproduce the problem I
described previously quite easily by executing "wpa_cli reassociate"
once I am connected - I get these errors instantly in the android logs,
but the frustrating thing is that I can't alter the debug level to see more!
As for the 60-minutes re-association time, I think I found what this is:
when I execute "wpa_cli status verbose" I get this:
Using interface 'tiwlan0'
Supplicant PAE state=AUTHENTICATED
Supplicant Backend state=IDLE
EAP TLS cipher=DHE-RSA-AES256-SHA
EAP-TTLSv0 Phase2 method=EAP-TLS
Maybe it is the heldPeriod?
>> As the ca_cert is a certificate from a certificate authority, I expect
>> the certificate chain to be 1 certificate deep, thus the certificate in
>> question is always self-signed. Why is the wpa_supplicant then
>> complaining, given also the fact that when it tries the same process 30
>> seconds later - it succeeds?! Have I missed something in my setup?
> This should obviously not happen and it sounds like the authentication
> server would be doing something very strange here.. Anyway, I would need
> to see more debug information to see what exactly is the difference
> between those two authentication attempts.
I don't think it is the server - I think it is the client as I get the
error from this particular supplicant/client. When I use another one
("proper" PC with the same certificate/keys/credentials, but different
id value) I have no such problems.
>> Would it be possible to either a) fix the above error and stay connected
>> for longer than 60 minutes at a time; or b) extend this re-negotiation
>> time from 60 minutes to a bit longer than that so that the client does
>> not get disconnected every hour?
> That time is configured on the AP and/or authentication server..
> Depending on what the real issue is, it may or may not be possible to
> fix it in wpa_supplicant.
I see! Would it be possible to find out where this is configured?
>> W/wpa_supplicant( 582): TLS: Certificate verification failed, error 19
>> (self signed certificate in certificate chain) depth 1 for
> This would indicate that the certificate used by the authentication
> server was not trusted at this point.. It is strange if this changes
> between the re-authentication and the following authentication after
The initial association - when I am not connected at all - is OK without
problems, the above error only happens when wpa_supplicant is trying to
re-associate after exactly 60 minutes. If I disconnect and reconnect
just before the end of that period I don't get this error. Very strange!
More information about the HostAP