Arch Linux

sharda

Member

Registered: 2024-05-08

Posts: 6

Error connecting to EDUROAM with IWD: (bad_certificate)

I am trying to connect to eduroam (the wifi of my university) with IWD as it's explained in the wiki, but after several days of trail and error, I am unable to connect.

My config file for connecting to the wifi is: (name: /var/lib/iwd/eduroam.8021x)

[Security]
EAP-Method=TTLS
EAP-Identity=anonymous@uva.es
EAP-TTLS-CACert=/var/lib/iwd/ca.pem
EAP-TTLS-ServerDomainMask=radius.uva.es
EAP-TTLS-Phase2-Method=Tunneled-PAP
EAP-TTLS-Phase2-Identity=**********@uva.es
EAP-TTLS-Phase2-Password=*************

[Settings]
AutoConnect=true

and the journal:

may 08 12:45:26 ALF iwd[430]: event: state, old: autoconnect_full, new: connecting
may 08 12:45:27 ALF iwd[430]: hardware_rekey not supported
may 08 12:45:27 ALF iwd[430]: event: state, old: connecting, new: connecting (netconfig)
may 08 12:45:27 ALF iwd[430]: event: state, old: connecting (netconfig), new: connected
may 08 12:50:07 ALF iwd[430]: Error loading /var/lib/iwd//eduroam.8021x
may 08 12:50:17 ALF iwd[430]: event: state, old: connected, new: disconnecting
may 08 12:50:17 ALF iwd[430]: event: state, old: disconnecting, new: disconnected
may 08 12:50:17 ALF iwd[430]: event: connect-info, ssid: eduroam, bss: fc:ec:da:d5:19:38, signal: -60, load: 9/255
may 08 12:50:17 ALF iwd[430]: event: state, old: disconnected, new: connecting
may 08 12:50:18 ALF iwd[430]: TTLS: Tunnel has disconnected with alert: bad_certificate
may 08 12:50:19 ALF iwd[430]: EAP completed with eapFail
may 08 12:50:19 ALF iwd[430]: 4-Way handshake failed for ifindex: 2, reason: 23
may 08 12:50:19 ALF iwd[430]: event: connect-failed, reason: 23
may 08 12:50:19 ALF iwd[430]: event: state, old: connecting, new: disconnected
may 08 12:50:19 ALF iwd[430]: event: state, old: disconnected, new: autoconnect_quick
may 08 12:50:21 ALF iwd[430]: error parsing VHT capabilities
may 08 12:50:21 ALF iwd[430]: error parsing HT capabilities
may 08 12:50:21 ALF iwd[430]: error parsing non-HT rates
may 08 12:50:21 ALF iwd[430]: error parsing VHT capabilities
may 08 12:50:21 ALF iwd[430]: error parsing HT capabilities
may 08 12:50:21 ALF iwd[430]: error parsing non-HT rates
may 08 12:50:21 ALF iwd[430]: error parsing VHT capabilities
may 08 12:50:21 ALF iwd[430]: error parsing HT capabilities
may 08 12:50:21 ALF iwd[430]: error parsing non-HT rates
may 08 12:50:21 ALF iwd[430]: event: connect-info, ssid: eduroam, bss: fc:ec:da:d5:19:38, signal: -60, load: 9/255
may 08 12:50:21 ALF iwd[430]: event: state, old: autoconnect_quick, new: connecting (auto)
may 08 12:50:21 ALF iwd[430]: TTLS: Tunnel has disconnected with alert: bad_certificate
may 08 12:50:22 ALF iwd[430]: EAP completed with eapFail
may 08 12:50:22 ALF iwd[430]: 4-Way handshake failed for ifindex: 2, reason: 23
may 08 12:50:22 ALF iwd[430]: event: connect-failed, reason: 23

Thanks in advance for the help and sorry if the message is bit messed up, is my first post in the forum.
Pd: i have found this post covering my error https://bbs.archlinux.org/viewtopic.php?id=291921

Last edited by sharda (2024-05-08 11:16:55)

loqs

Member

Registered: 2014-03-06

Posts: 17,657

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

Pd: i have found this post covering my error https://bbs.archlinux.org/viewtopic.php?id=291921

What is the output of `uname -a`?

sharda

Member

Registered: 2024-05-08

Posts: 6

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

Pd: i have found this post covering my error https://bbs.archlinux.org/viewtopic.php?id=291921

What is the output of `uname -a`?

The output is:

Linux ****** 6.8.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 02 May 2024 17:49:46 +0000 x86_64 GNU/Linux

loqs

Member

Registered: 2014-03-06

Posts: 17,657

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

6.8.9 has the fix from the thread you linked so the cause should not be the same.

seth

Member

Registered: 2012-09-03

Posts: 52,615

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

Please use [code][/code] tags, not "quote" tags.

https://wiki.archlinux.org/title/Iwd#Ve … _debugging

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sharda

Member

Registered: 2024-05-08

Posts: 6

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

Please use [code][/code] tags, not "quote" tags.

https://wiki.archlinux.org/title/Iwd#Ve … _debugging

Now i have this output:

 sudo journalctl -u iwd.service | tail
may 09 11:59:15 ALF iwd[439]: event: connect-info, ssid: eduroam, bss: fc:ec:da:d5:3d:77, signal: -33, load: 6/255
may 09 11:59:15 ALF iwd[439]: event: state, old: autoconnect_quick, new: connecting (auto)
may 09 11:59:15 ALF iwd[439]: TTLS: tls_tx_handshake:1244 Sending a TLS_CLIENT_HELLO of 140 bytes
may 09 11:59:15 ALF iwd[439]: TTLS: l_tls_start:3610 New state TLS_HANDSHAKE_WAIT_HELLO
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO of 45 bytes
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_server_hello:2419 Negotiated TLS 1.0
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_server_hello:2455 Negotiated TLS_DHE_RSA_WITH_AES_256_CBC_SHA
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_server_hello:2466 Negotiated CompressionMethod.null
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_server_hello:2492 New state TLS_HANDSHAKE_WAIT_CERTIFICATE
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_CERTIFICATE of 2217 bytes
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_certificate:2562 Peer certchain written to /tmp/iwd-tls-debug-server-cert.pem
may 09 11:59:15 ALF iwd[439]: TTLS: tls_handle_certificate:2572 Disconnect desc=bad_certificate local-desc=close_notify reason=Peer certchain verification failed consistency check or against local CA certs: Linking certificate 1 / 2 failed, root not verified against trusted CA(s)
may 09 11:59:15 ALF iwd[439]: TTLS: tls_send_alert:1175 Sending a Fatal Alert: bad_certificate
may 09 11:59:15 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 11:59:15 ALF iwd[439]: TTLS: Tunnel has disconnected with alert: bad_certificate
may 09 11:59:16 ALF iwd[439]: EAP completed with eapFail
may 09 11:59:16 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 11:59:16 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 11:59:16 ALF iwd[439]: 4-Way handshake failed for ifindex: 2, reason: 23
may 09 11:59:16 ALF iwd[439]: event: connect-failed, reason: 23
may 09 11:59:16 ALF iwd[439]: event: state, old: connecting (auto), new: disconnected

progandy

Member

Registered: 2012-05-17

Posts: 5,212

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

root not verified against trusted CA(s)

That sounds as if you have the wrong EAP-TTLS-CACert certificate authority. How did you create that file?

With the debug option you now have the certificate provided by the server in /tmp/iwd-tls-debug-server-cert.pem as well.
You can manually verify it with the CA you provided in the network config with e.g. openssl
Make sure your CA.pem is a valid certificate file and can be read by openssl, then verify the server certificate with it:

$ openssl x509 -in CA.pem -text -noout
$ openssl verify -show_chain -CAfile CA.pem server-cert.pem

To use the same validation functions as iwd you can use a tool provided by the ell library:

# pacman -S ell
$ wget https://git.kernel.org/pub/scm/libs/ell/ell.git/plain/tools/certchain-verify.c
$ gcc -o certchain-verify -lell certchain-verify.c
$ ./certchain-verify /var/lib/iwd/ca.pem /tmp/iwd-tls-debug-server-cert.pem

Last edited by progandy (2024-05-09 10:44:36)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

sharda

Member

Registered: 2024-05-08

Posts: 6

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

root not verified against trusted CA(s)

That sounds as if you have the wrong EAP-TTLS-CACert certificate authority. How did you create that file?

With the debug option you now have the certificate provided by the server in /tmp/iwd-tls-debug-server-cert.pem as well.
You can manually verify it with the CA you provided in the network config with e.g. openssl
Make sure your CA.pem is a valid certificate file and can be read by openssl, then verify the server certificate with it:

$ openssl x509 -in CA.pem -text -noout
$ openssl verify -show_chain -CAfile CA.pem server-cert.pem

To use the same validation functions as iwd you can use a tool provided by the ell library:

# pacman -S ell
$ wget https://git.kernel.org/pub/scm/libs/ell/ell.git/plain/tools/certchain-verify.c
$ gcc -o certchain-verify -lell certchain-verify.c
$ ./certchain-verify /var/lib/iwd/ca.pem /tmp/iwd-tls-debug-server-cert.pem

I've created the file with the python script  from the eduroam page. From there I downloaded a python code that generated the file ca.pem and also, the "eduroam.8021x" was created following the guide from iwd Arch wiki with that code

With the debug option you now have the certificate provided by the server in /tmp/iwd-tls-debug-server-cert.pem as well.

When i look at there, it says that the file or direcotry doesn't exists. And when i do ls the file isn't there.

And the code:

openssl x509 -in CA.pem -text -noout

It works and reads the file, if u want, I'll send the output.

I have been testing during the day if I could connect and the journals outputs, and depending where I try to connect from the University, it produces different errors:

The usual one:

sudo journalctl -u iwd.service | tail -100
may 09 18:14:10 ALF iwd[439]: event: connect-info, ssid: eduroam, bss: fe:ec:da:95:0a:6e, signal: -58, load: 28/255
may 09 18:14:10 ALF iwd[439]: event: state, old: autoconnect_full, new: connecting (auto)
may 09 18:14:10 ALF iwd[439]: TTLS: tls_tx_handshake:1244 Sending a TLS_CLIENT_HELLO of 140 bytes
may 09 18:14:10 ALF iwd[439]: TTLS: l_tls_start:3610 New state TLS_HANDSHAKE_WAIT_HELLO
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO of 45 bytes
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_server_hello:2419 Negotiated TLS 1.0
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_server_hello:2455 Negotiated TLS_DHE_RSA_WITH_AES_256_CBC_SHA
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_server_hello:2466 Negotiated CompressionMethod.null
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_server_hello:2492 New state TLS_HANDSHAKE_WAIT_CERTIFICATE
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_CERTIFICATE of 2217 bytes
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_certificate:2562 Peer certchain written to /tmp/iwd-tls-debug-server-cert.pem
may 09 18:14:10 ALF iwd[439]: TTLS: tls_handle_certificate:2572 Disconnect desc=bad_certificate local-desc=close_notify reason=Peer certchain verification failed consistency check or against local CA certs: Linking certificate 1 / 2 failed, root not verified against trusted CA(s)
may 09 18:14:10 ALF iwd[439]: TTLS: tls_send_alert:1175 Sending a Fatal Alert: bad_certificate
may 09 18:14:10 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 18:14:10 ALF iwd[439]: TTLS: Tunnel has disconnected with alert: bad_certificate
may 09 18:14:11 ALF iwd[439]: EAP completed with eapFail
may 09 18:14:11 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 18:14:11 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 18:14:11 ALF iwd[439]: 4-Way handshake failed for ifindex: 2, reason: 23
may 09 18:14:11 ALF iwd[439]: event: connect-failed, reason: 23
may 09 18:14:11 ALF iwd[439]: event: state, old: connecting (auto), new: disconnected

And the new error:

sudo journalctl -u iwd.service | tail -100
may 09 16:56:35 ALF iwd[439]: event: connect-info, ssid: eduroam, bss: fc:ec:da:d5:0b:16, signal: -53, load: 13/255
may 09 16:56:35 ALF iwd[439]: event: state, old: autoconnect_quick, new: connecting (auto)
may 09 16:56:36 ALF iwd[439]: TTLS: tls_tx_handshake:1244 Sending a TLS_CLIENT_HELLO of 140 bytes
may 09 16:56:36 ALF iwd[439]: TTLS: l_tls_start:3610 New state TLS_HANDSHAKE_WAIT_HELLO
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO of 45 bytes
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_server_hello:2419 Negotiated TLS 1.0
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_server_hello:2455 Negotiated TLS_DHE_RSA_WITH_AES_256_CBC_SHA
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_server_hello:2466 Negotiated CompressionMethod.null
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_server_hello:2492 New state TLS_HANDSHAKE_WAIT_CERTIFICATE
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_CERTIFICATE of 2217 bytes
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_certificate:2562 Peer certchain written to /tmp/iwd-tls-debug-server-cert.pem
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_certificate:2666 New state TLS_HANDSHAKE_WAIT_KEY_EXCHANGE
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_handshake:3074 Handling a TLS_SERVER_KEY_EXCHANGE of 521 bytes
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_handshake:3172 New state TLS_HANDSHAKE_WAIT_HELLO_DONE
may 09 16:56:36 ALF iwd[439]: TTLS: tls_handle_dhe_server_key_xchg:994 Disconnect desc=handshake_failure local-desc=close_notify reason=Server DH prime modulus invalid
may 09 16:56:36 ALF iwd[439]: TTLS: tls_send_alert:1175 Sending a Fatal Alert: handshake_failure
may 09 16:56:36 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 16:56:36 ALF iwd[439]: TTLS: Tunnel has disconnected with alert: handshake_failure
may 09 16:56:37 ALF iwd[439]: EAP completed with eapFail
may 09 16:56:37 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 16:56:37 ALF iwd[439]: TTLS: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
may 09 16:56:37 ALF iwd[439]: 4-Way handshake failed for ifindex: 2, reason: 23
may 09 16:56:37 ALF iwd[439]: event: connect-failed, reason: 23
may 09 16:56:37 ALF iwd[439]: event: state, old: connecting (auto), new: disconnected

Last edited by sharda (2024-05-09 16:45:43)

progandy

Member

Registered: 2012-05-17

Posts: 5,212

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

For the first attempt, have you manually verified the certificate that is downloaded to /tmp? What does openssl -verify say?

The second attempt succeeds with verifying the certificate, but the fails during the key exchange. You may be out of luck there and need to use wpa_supplicant instead:

https://www.reddit.com/r/archlinux/comm … r/g6ppp45/
Your university Wi-Fi is configured in an insecure way, the prime number it uses during the key exchange is too short. This is a restriction imposed by the cryptography API provided by the Linux kernel, which iwd relies on. There is nothing you can do about it yourself apart from complaining to the IT department of your university. wpa_supplicant does not use the kernel cryptography framework and does not include this prime length check, therefore it is not affected.

Last edited by progandy (2024-05-09 17:32:15)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

sharda

Member

Registered: 2024-05-08

Posts: 6

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

For the first attempt, have you manually verified the certificate that is downloaded to /tmp? What does openssl -verify say?

The second attempt succeeds with verifying the certificate, but the fails during the key exchange. You may be out of luck there and need to use wpa_supplicant instead:

https://www.reddit.com/r/archlinux/comm … r/g6ppp45/
Your university Wi-Fi is configured in an insecure way, the prime number it uses during the key exchange is too short. This is a restriction imposed by the cryptography API provided by the Linux kernel, which iwd relies on. There is nothing you can do about it yourself apart from complaining to the IT department of your university. wpa_supplicant does not use the kernel cryptography framework and does not include this prime length check, therefore it is not affected.

The problem is that I can't find the certificate. When i look at /tmp there isn't any certificate, so i can verify it, and i can't do the "openssl -verify". I don't know if it's deleted or something before i reach to look it, but the file isn't there.

So should I try with wpa_supplicant????

progandy

Member

Registered: 2012-05-17

Posts: 5,212

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

The problem is that I can't find the certificate. When i look at /tmp there isn't any certificate, so i can verify it, and i can't do the "openssl -verify". I don't know if it's deleted or something before i reach to look it, but the file isn't there.

I forgot the iwd systemd service sets PrivateTmp=true. You can probably find the certificate as root in /tmp/systemd-private-*-iwd.service-*/tmp

So should I try with wpa_supplicant????

Probably. If you want to avoid rebooting after disabling iwd, you'll have to recreate the wlan0 interface:
https://iwd.wiki.kernel.org/interface_l … ent_in_iwd

# iw phy phy0 interface add wlp2s0 type station

Last edited by progandy (2024-05-09 17:52:53)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

sharda

Member

Registered: 2024-05-08

Posts: 6

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

The problem is that I can't find the certificate. When i look at /tmp there isn't any certificate, so i can verify it, and i can't do the "openssl -verify". I don't know if it's deleted or something before i reach to look it, but the file isn't there.

I forgot the iwd systemd service sets PrivateTmp=true. You can probably find the certificate as root in /tmp/systemd-private-*-iwd.service-*/tmp

So should I try with wpa_supplicant????

Probably. If you want to avoid rebooting after disabling iwd, you'll have to recreate the wlan0 interface:
https://iwd.wiki.kernel.org/interface_l … ent_in_iwd

# iw phy phy0 interface add wlp2s0 type station

I have just tried the openssl  verify:

sudo openssl verify -show_chain -CAfile /var/lib/iwd/eduroam-ca.pem /tmp/systemd-private-49827ee6a1e34a06b8e37ec1040ebb68-iwd.service-7SjdKS/tmp/iwd-tls-debug-server-cert.pem
/tmp/systemd-private-49827ee6a1e34a06b8e37ec1040ebb68-iwd.service-7SjdKS/tmp/iwd-tls-debug-server-cert.pem: OK
Chain:
depth=0: C=ES, ST=Castilla y Leon, O=Universidad de Valladolid, OU=STIC, CN=radius.uva.es, emailAddress=noc@uva.es (untrusted)
depth=1: C=ES, ST=Castilla y Leon, L=Valladolid, O=Universidad de Valladolid, OU=STIC, CN=CA_UVa2016, emailAddress=noc@uva.es

I guess that the certificate works...

On the wpa_supplicant stuff, i am unable to make it work. When I disable iwd (sudo disable iwd.service), WLAN stills softblocked by the rfkill and if i unblock it by "rfkill unblock wlan" i get a lot of errors in wpa_supplicant and it doesn't works.

seth

Member

Registered: 2012-09-03

Posts: 52,615

Re: Error connecting to EDUROAM with IWD: (bad_certificate)

WLAN stills softblocked by the rfkill and if i unblock it by "rfkill unblock wlan" i get a lot of errors in wpa_supplicant and it doesn't works.

Please don't paraphrase, https://bbs.archlinux.org/viewtopic.php?id=57855

Also

If you want to avoid rebooting after disabling iwd, you'll have to recreate the wlan0 interface:
https://iwd.wiki.kernel.org/interface_l … ent_in_iwd

# iw phy phy0 interface add wlp2s0 type station

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc