Context (skip if you want, just here to avoid A-B problem):
I recently switched to NixOS from Alpine Linux, and have had a bit of a headache trying to get eduroam to work, trying the CAT script, manual setup, and eduroam-flake, all of which lead to Plasma telling me my password was wrong, when I 100% knew it was correct. I suspected it was a certificate issue though (and I was later proven correct), but both the CAT script provided certificate and /etc/ssl/certs/ca-bundle.crt didn’t work.
However, the university’s IT hub told me I should try find a certificate named along the lines of “Sectigo Public Server Authentication CA OV” in locations like /etc/ssl/certs, /etc/pki/tls/certs/, and /usr/share/ca-certificates/, none of which had a certificate like this. On my previous distro though, Alpine Linux, there was a collection of individual certificates in /etc/ssl/certs (via the ca-certificates package, where each certificate file was a link to the certificate in /usr/share/ca-certificates/mozilla/), with ca-cert-Sectigo_Public_Server_Authentication_Root_R46.pem being the one I selected while I was using Alpine, and eduroam worked. As I couldn’t find a package that provided the unbundled certificates, I tried what I thought was a long shot, and copied the certificate file from an Alpine Linux container to my home directory, set it as CA Certificate for eduroam, and to my surprise, that fixed the issue.
My current problem:
I obviously don’t want to have to commit this certificate file to my NixOS configuration, so I want to know if there is a package where I can get the unbundled certificates from Mozilla’s CA Certificate Program (as that’s what Alpine Linux does) so I can set my network manager configuration to point to the specific certificate I need, or is there some better way to fix the original problem?
There are two certificates named “Sectigo Public Server Authentication” in the Mozilla CA bundle that are marked for serverAuth usage, so these are probably what they’re talking about. Since they’re already in the system trust store, you shouldn’t have anything to do, NetworkManager should already trust them.
You should try to find out the error actually is, checking the logs of Networkmanager and wpa_supplicant and maybe set them to debug mode if needed. It sounds like you’re trying to solve something that isn’t the issue.
When I didn’t have any CA certificate set in the network settings though, the connection didn’t work.
I did look at journalctl -xb:
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: SME: Trying to authenticate with {REDACTED EDUROAM MAC} (SSID='eduroam' freq=5320 MHz)
Jan 23 14:36:40 gram kernel: wlp0s20f3: authenticate with {REDACTED EDUROAM MAC} (local address={REDACTED LOCAL MAC})
Jan 23 14:36:40 gram kernel: wlp0s20f3: send auth to {REDACTED EDUROAM MAC} (try 1/3)
Jan 23 14:36:40 gram kernel: wlp0s20f3: authenticated
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: Trying to associate with {REDACTED EDUROAM MAC} (SSID='eduroam' freq=5320 MHz)
Jan 23 14:36:40 gram kernel: wlp0s20f3: associate with {REDACTED EDUROAM MAC} (try 1/3)
Jan 23 14:36:40 gram kernel: wlp0s20f3: RX AssocResp from {REDACTED EDUROAM MAC} (capab=0x1011 status=0 aid=3)
Jan 23 14:36:40 gram kernel: wlp0s20f3: associated
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: Associated with {REDACTED EDUROAM MAC}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root R4>
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=GB/ST={REDACTED COUNTY}/O={REDACTED NAME OF UNIVERSITY}/CN={REDACTED DOMAIN 1} h>
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 1}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 2}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 3}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 4}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 5}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 6}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 7}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 8}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 9}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:{REDACTED DOMAIN 10}
Jan 23 14:36:40 gram wpa_supplicant[1291]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 2 for '/C=GB/O=Sectigo Limited>
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authenti>
Jan 23 14:36:40 gram wpa_supplicant[1291]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jan 23 14:36:40 gram wpa_supplicant[1291]: OpenSSL: openssl_handshake - SSL_connect error:0A000086:SSL routines::certificate verify failed
Jan 23 14:36:40 gram kernel: wlp0s20f3: Limiting TX power to 23 (23 - 0) dBm as advertised by {REDACTED EDUROAM MAC}
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jan 23 14:36:40 gram kernel: wlp0s20f3: deauthenticated from {REDACTED EDUROAM MAC} (Reason: 23=IEEE8021X_FAILED)
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-DISCONNECTED bssid={REDACTED EDUROAM MAC} reason=23
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10 reason=AUTH_FAILED
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: Added BSSID {REDACTED EDUROAM MAC} into ignore list, ignoring for 10 seconds
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: BSSID {REDACTED EDUROAM MAC} ignore list count incremented to 2, ignoring for 10 seconds
Jan 23 14:36:43 gram systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Which is what lead me to believe this was a certificate issue. This error happened when using the certificate provided by the CAT script. I can try see if the error when using /etc/ssl/certs/ca-bundle.crt is any different on Monday.
Yeah, the KDE Plasma error lead me to believe that too, until I saw the journalctl logs, sorry I forgot to include/mention them in my original post.
I’m not sure if this will actually work, but I think it may be a way to bypass whatever method NetworkManager and wpa_supplicant use to tell openssl where to look for the CA roots.
EDIT:
I’ve looked a bit into how NetworkManager works, and it seems to have an option system-ca-certs (defaults to false) to use the system trust store. I think must put something like
[802-1x]
system-ca-certs=true
in the /etc/NetworkManager/system-connections/eduroam file.
Unless this somehow interferes with self-signed certs, I don’t see why the system trust root shouldn’t be used by default, it’s kind of surprising.
I will look into this.
Just wanted to report I’m getting a similar issue connecting to my University’s IKEv2 IPSec VPN, had to download the certificates and set the certificate= in the system-connection. Still failing to connect but it passed the certificate checks so it is likely a different issue.
Do we know if there is any reason the following certs aren’t bundled?
Sectigo Public Server Authentication CA OV R36
Sectigo Public Server Authentication Root R46
Is there any way to get these bundled?
EDIT: I added the cacert package and now it seems like it is only the Sectigo legacy certificates are the issue:
