Topic: Problem with VPN after new certificate (SOLVED)

[Jeppe Fugl]

Hi There

I am using CA Cert as described in the howto and recently renewed my certificate. After that point I am not able to connect through VPN (web, ssh works fine)

I found the following in the /var/log/radius/radius.log:

Sun Jul  6 18:57:33 2008 : Info: Using deprecated naslist file.  Support for this will go away soon.
Sun Jul  6 18:57:33 2008 : Error: rlm_eap_tls: Error reading Trusted root CA list
Sun Jul  6 18:57:33 2008 : Error: rlm_eap: Failed to initialize type tls
Sun Jul  6 18:57:33 2008 : Error: radiusd.conf[11]: eap: Module instantiation failed.

The certificate for radius i located in /etc/raddb/certs/radiusd.pem and it is constantly being overwritten. The content looks wrong I think (but I am not sure)

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------

-----BEGIN RSA PRIVATE KEY-----
ksøæsdfåpsdofsdf
-----END RSA PRIVATE KEY-----
læøksdføklsføkæsdøfkæsødf


Does anyone have an idea where to start ?


Best Regards,
Jeppe

[cactus]

Hi There

I am using CA Cert as described in the howto and recently renewed my certificate. After that point I am not able to connect through VPN (web, ssh works fine)

What howto? There are several and I guess you either skipped a step somewhere or taken the instructions a bit to liberal. If there is an error in the insctructions it would be nice to know where it is so we can see if we can fix them.

The certificate for radius i located in /etc/raddb/certs/radiusd.pem and it is constantly being overwritten. The content looks wrong I think (but I am not sure)

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------

-----BEGIN RSA PRIVATE KEY-----
ksøæsdfåpsdofsdf
-----END RSA PRIVATE KEY-----
læøksdføklsføkæsdøfkæsødf


Does anyone have an idea where to start ?


Best Regards,
Jeppe

That file clearly states that you should not modify it, that includes overwriting it with your version as the files are templated.

[Jeppe Fugl]

I was using the howto: http://wiki.contribs.org/Custom_CA_Certificate

Everything worked fine until I recently renewed my certificate. When I did these steps again.

cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
 
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt

signal-event console-save


I know not to modify this file, but I you could tell me which template is used or why it is overwritten every second I would help me much more.

[cactus]

I was using the howto: http://wiki.contribs.org/Custom_CA_Certificate

Everything worked fine until I recently renewed my certificate. When I did these steps again.

cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
 
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt

signal-event console-save


I know not to modify this file, but I you could tell me which template is used or why it is overwritten every second I would help me much more.

Did you also copy the key?

[Jeppe Fugl]

Problem solved:

I forgot the

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

in my certificate file. Now everything works fine. Funny that the web server did not care about that.

[cactus]

Funny that the web server did not care about that.

As long as it does not restart it will not try and reload the certificate...