Radius on Mac Server El Capitan / problem on iOS devices

After some fiddling I managed to get Let’s Enrypt SSL Certificates working on my Mac Mini Server running the latest copy of El Capitan. I have set up an alias for the .well-known folder to circumvent the problem that the built in Apache server did not serve the hidden folder and a cron job which updates the certificate on a regular basis. All I have to do is manually switch from on certificate to the next in the server app every other month.

This setup works fine for my websites and webservices I have set up using the server app (calender, contacts, etc.).

Then I have tried to use the certificate to enable RADIUS authentication in conjunction with my airport base-station for my household members. Setup worked fully automatic and smooth via the server app. When I log in using RADIUS authentication using my macbook, this works fine. I get to see the certificate once to confirm it and it works. There is no error of complain from OS X concerning the certificate.

When I try to log-in the same way using an iOS device, I get a message that the certificate is not trusted. Does anyone have an idea why this might happen and what to do about it? Is someone else using LE for RADIUS services? I could continue and agree to use the untrusted certificate until it is renewed - but that would not solve the underlying problem…

Thanks a lot for you help!

I don’t know for sure, but I suspect that this could happen because you are missing the full certificate chain.

Have you tried setting the certificate_file option to fullchain.pem instead of cert.pem?

Dear Kohenkatz - thanks for the reply and suggestion.

I found no way to directly import the certificate into my mac server so I am converting the output of LE using OpenSSL and import it into the keychain of my mac to have it available in the certificates tab of my server app. This was suggested in another discussion I found in this forum.

Maybe I hove to tweak something during the conversion or import?

openssl pkcs12 -export -inkey /etc/letsencrypt/live/###/privkey.pem -in /etc/letsencrypt/live/###/cert.pem -certfile /etc/letsencrypt/live/###/fullchain.pem -out /etc/letsencrypt/live/###/letsencrypt_sslcert.p12 -passout pass:%%%

security import /etc/letsencrypt/live/###/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P %%% -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

As far as I know, OS X is running a mostly-unmodified FreeRADIUS. That means you should be able to edit its config file to point directly to the LetsEncrypt certificate.

I don’t have a Mac server in front of me right now, so I can’t give you much more than that.

1 Like

That sounds interesting - I will give it a try. Thank you very much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.