Need unbundled CA certificates to connect to eduroam

rnhmjoj · January 23, 2026, 9:13pm

Kladky:

Jan 23 14:36:40 gram wpa_supplicant[1291]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 2 for '/C=GB/O=Sectigo Limited>
Jan 23 14:36:40 gram wpa_supplicant[1291]: wlp0s20f3: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authenti>
Jan 23 14:36:40 gram wpa_supplicant[1291]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jan 23 14:36:40 gram wpa_supplicant[1291]: OpenSSL: openssl_handshake - SSL_connect error:0A000086:SSL routines::certificate verify failed

Ah ok, it does look the certificate it’s the problem, then.

Are you on NixOS unstable? if so, try setting

systemd.services.wpa_supplicant.environment.SSL_CERT_FILE="/etc/ssl/certs/ca-bundle.crt";

Otherwise, set this:

systemd.services.NetworkManager.environment.SSL_CERT_FILE="/etc/ssl/certs/ca-bundle.crt";

I’m not sure if this will actually work, but I think it may be a way to bypass whatever method NetworkManager and wpa_supplicant use to tell openssl where to look for the CA roots.

EDIT:

I’ve looked a bit into how NetworkManager works, and it seems to have an option system-ca-certs (defaults to false) to use the system trust store. I think must put something like

[802-1x]
system-ca-certs=true

in the /etc/NetworkManager/system-connections/eduroam file.