I’ve been using Tumbleweed for almost a year. Some time ago my corporate wifi connection broke. Today I’ve finally tried to fix it. Unfortunately I’m stuck on this error in wpa_supplicant.log:
wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
OpenSSL: SSL_use_certificate_file (PEM) –> OK
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key ‘PATH_TO_MY_KEY.key’
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
I’m running latest snapshot (20180606), wpa_supplicant is in version 2.6, openssl in 1.1.0h
Yes, the sysadmins at your work. We have no insight in the configuration options they have chosen. FWIW, I use two EAP based networks at customers, and they both have different setups, but do work fine with the settings provided by their admins.
Your network connection is mis-configured, most likely it’s missing the certificates necessary to authenticate your connection.
Those certificates should have been provided to you.
How you fix this would largely depend on how you connect to your network…
Some systems distribute an entire network client.
Others distribute a package that contains the certificate and configuration files.
Others distribute only the certificates with instructions how to complete the configuration using a generic client like Network Manager.
If you set up Network Manager,
You should be able to create a new connection, and specify a connection type that supports EAP/802.11x
I’m afraid that this is not a problem with my configuration/certificates. I’ve tried them on other distributions and set NetworkManager same way as right now. I’ve also tried my sysadmins but theirs knowledge about linuxes was quite limited :? as we can use linuxes only if we can configure them ourselves.
We’ve got an instruction how to set it all up but it’s not working on OpenSuse (I’m not the only one having this problem, a colleague has Leap 15 and experiences the same behavior).
Download our company root CA, add it to /etc/pki/tls/certs/CERTNAME.crt
Generate our private certificates via our special tool (I’m certain that my certs are ok - I’ve been able to connect with them on Fedora)
Set up NetworkManager according to screenshot.
And no, obviously I did not set my path literally to ‘PATH_TO_MY_KEY’
I’ve done some research before I came here for help, some of the sources suggested that it might be connected with openssl having problems with accessing private key with passphrase.
wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
OpenSSL: SSL_use_certificate_file (PEM) –> OK OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key ‘PATH_TO_MY_KEY.key’
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
I’ve set what I feel is the critical error in RED.
If you then do an Internet search, you’ll return a number of possible solutions…
ie, Convert from PEM to DER, verify file has no invisible spaces(speaking of which, if the file has passed through any Windows machines, until Apr 2018 Microsoft apps always installed invisible line characters in text documents), removing the BEGIN and END tags
eg
Many of the following search results describe different scenarios than yours but you should strip out the other stuff like whether it’s for Apache, developing for Android or Java, etc and focus on the <preparing> certificate part…
Also, consider the possibility that Tumbleweed’s always bleeding edge use of openSSL means that its version may have features your other machines haven’t seen yet… So, your SysAdmins might for instance need to create a new certificate on a machine running an OS at least as new as TW… But bother your SysAdmins only as last resort and try all the other fixes you can find first.
It must be some kind of problem with my private key. What is strange that on other distributions my files work correctly so it’s probably some problem with openssl/wpa_supplicant.