Hello,
We use let's encrypt certificates for Eduroam service with EAP PEAP authentication via RADIUS (Remote Authentication Dial In User Service). It works except about 20 % of cases where not. One of the problem is caused by Microsoft Windows 10 systems, where user is getting error:0x80420203 - The server certificate being used for authentication has been revoked
E.g., in Windows 11 or Linux, ios it is working ok. LE certificates are correctly issued and signed by ISRG X1 Root certificate. Moreover, we can see that the ISRG X1 Root certificate is installed in the Windows 10 system, but I am aware that Windows have several certificate stores.
Does anyone know solution how to deal with this problem except forcibly updating to Windows 11?
Well, the error message indicates the server's certificate has been revoked. Has it been?
You can check https://crt.sh/ to see if it's been revoked.
1 Like
_az
October 26, 2022, 8:19pm
#4
Which certificate chain is your RADIUS server sending?
"Certificate → R3 → ISRG Root X1 (cross-sign)" or the shorter "Certificate → R3" one?
3 Likes
it should send whole chain, but will double check this tomorrow.
EAPTLS_CertificateChainFile %{GlobalVar:ConfigDir}/certs/fullchain.pem
EAPTLS_PrivateKeyFile %{GlobalVar:ConfigDir}/certs/privkey.pem
btw, it is not ISRG X1 crosssign, but selfsign, don't know if I can get LE cert signed by crosssigned X1?
_az
October 27, 2022, 8:22am
#6
The default certificate chain that Let's Encrypt sends today, contains the "ISRG Root X1" certificate cross-signed by "DST Root CA X3".
It might be helpful to post the contents of your fullchain.pem.
I originally asked this question because there is a version of R3 which is revoked, but it's probably super unlikely that you're encountering that.
3 Likes
fullchain.pem (4.0 KB)
On the linux box using wpa supplicant, I can see:
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=Internet Security Research Group/CN=ISRG Root X1' hash=96bcec06264976f374
60779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Let's Encrypt/CN=R3' hash=67add1166b020ae61b8f5fc96813c04c2aa589960796865
572a3c7e737613dfd
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=radius.muni.cz' hash=a38d8a6f5c0f9838fcd351c8ed14aec8e3aaa61f76f2eb09290f7220
a4dff1da
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:hellion.ics.muni.cz
Oct 27 10:49:42 anubis wpa_supplicant[591]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.muni.cz
Oct 27 10:49:42 anubis wpa_supplicant[591]: EAP-MSCHAPV2: Authentication succeeded
_az
October 27, 2022, 8:55am
#9
You're on the short chain. It looks fine, don't know why Windows would complain about revocation.
Are those problematic Windows 10 machines able to load https://valid-isrgrootx1.letsencrypt.org:443 okay? Is there some way to make your RADIUS client try connect to that host and port and see whether it hits a TLS verification error? And whether it's a different output to https://helloworld.letsencrypt.org:443/ ?
3 Likes
In browser, there is no problem on the Windows 10:
the result is the same for helloworld.letsencrypt
system
November 26, 2022, 3:09pm
#11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
