NetworkManger Wireless Issues – “Failed To Load Root Certificates”/”unable To Get Local Issuer Certificate”

Home » CentOS » NetworkManger Wireless Issues – “Failed To Load Root Certificates”/”unable To Get Local Issuer Certificate”
CentOS 3 Comments

Hi,

I’m trying to connect my CentOS 6.8 laptop to the wireless net at work, which is secured with WPA2 and AES. I’ve done this successfully in the past using NetworkManager, but a new safety feature was recently introduced: A CA certificate is required. After this, I’ve not been able to connect. I have a DER format file, whose path I’ve entered in

CA certificate:

in the NetworkManager security page, but apparently, this isn’t enough;
NetworkManager will try for a while, then pop up the security/login dialog again. I found the following in /var/log/wpa_supplicant.log, which I believe is related to this issue:

CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method -> NAK
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method%
OpenSSL: tls_connection_ca_cert – Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for ‘/DC=com/DC=…/DC=…/CN=…’
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1
subject=’/DC=com/DC=…/DC=…/CN=…’ err=’unable to get local issuer certificate’
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake – SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed

Note: I’ve removed some of the “DC=” info for privacy reasons, but what I’m seeing there, makes me think that the DER file has indeed been read.

Maybe this means I have to provide additional certificate info somewhere, somehow, but what would be the exact nature of the data, and where do I put it? I googled for some of the error messages and found that others have had similar issues, but the feedback given to them left me none the wiser. Actually, wpa_supplicant.conf updates are mentioned in some cases, but they appear to be related to information that I
thought would be provided by NetworkManager in this case.

So, does anyone know more about this? What certificate or certificate configuration files should I need in addition to what’s specified in the NetworkManager config? What else may be wrong?

Any help will be appreciated.

– Toralf

3 thoughts on - NetworkManger Wireless Issues – “Failed To Load Root Certificates”/”unable To Get Local Issuer Certificate”

  • You’ve definitely provided the correct CA certificate, and not accidentally provided the certificate itself?

    jh

  • I think you’re on to something, there. I actually used data exported from Windows, and I guess I ended up with (as you suggest) the “normal”
    certificate. Now I’ve switched to a “CA Root” .pem file for the authority, and the “Failed to load root certificates” message has gone away. But, I still get ‘unable to get local issuer certificate’.

    Don’t I need to provide the certificate itself, too? Where do I put it?

    – Toralf

  • I now realise that the same root certificate is included in
    /etc/pki/tls/certs/ca-bundle.crt, so maybe I shouldn’t need to specify it? Perhaps what I want is an “intermediate certificate”? Would that be the same thing as a “local issuer certificate”?

    Also, I no longer able to reproduce the case where I got “Failed to load root certificates”.

    Let’s say I’m officially confused…

    – T