[SOLVED] Iwd Failed to load ca.pem

traceelement · 2023-10-19 09:45:32

Hi,

the eduroam certificate got updated recently and iwd shows me the message failed to laod ca.pem.

Original Message:

Failed to load "/var/lib/iwd/ca.pem"

Unfortunately I have overwritten the old certificate so I do not know how it looked like. But here is the current one:

The file is at the specified location and if it is not there I get a different error message.

Maybe someone has some ideas.
Thanks in advance.

Last edited by traceelement (2023-11-03 15:18:58)

seth · 2023-10-19 12:25:52

Please use [code][/code] tags, not "quote" tags. Edit your post in this regard.

Problem is possibly https://bbs.archlinux.org/viewtopic.php?id=286417 ?
Otherwise we'll need more context than an isolated error message.

-thc · 2023-10-19 12:47:13

This is not a single CA certificate but a chain of two certificates:

The first one is a root CA certificate

Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
[...]
Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

The second one is for an intermediate CA issued by the root CA from the first certificate:

Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
[...]
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

Are you sure those are the right ones? I only found information about a recent eduroam certificate exchange (September 25th 2023) with the new certificate validated by "AAA":

Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services

traceelement · 2023-10-20 12:13:38

This ca.pem is downloaded by the tool provided to install eduroam on linux.
Here is the tool: https://cat.eduroam.org/.

I had iwd configured and i worked in August. The last time I configured iwd was in 2021 so there could be a lot of reasons why it does not work anymore. But the error message shows that it could not read the ca.pem which i replaced with the one downloaded from the cat tool.

Does iwd expect a specific format?

seth · 2023-10-20 12:30:03

Code tags…

PEM is defined in https://www.rfc-editor.org/rfc/rfc1422 - iwd cannot expect something different here.
It might struggle w/ the chain, but google doesn't find anybody complaining about that

Is this a mere file permisison problem?

stat /var/lib/iwd/ca.pem

traceelement · 2023-10-20 13:06:34

I tried with multiple different access settings with no luck.

File: /var/lib/iwd/ca.pem
Size: 4262 Blocks: 16 IO Block: 4096 regular file
Device: 8,3 Inode: 60031018 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-10-19 11:19:15.393291197 +0200
Modify: 2023-10-20 14:09:47.313846161 +0200
Change: 2023-10-20 14:59:34.592671369 +0200
Birth: 2023-10-19 11:19:15.393291197 +0200

seth · 2023-10-20 13:09:24

Incl. the number of the beast? (666)
Semi-related, did you get the previous pem from the same surce (https://cat.eduroam.org/) or eg. your campus IT?

traceelement · 2023-10-20 15:17:47

With this you meant to set the access to 666? If so I tried and unfortunately it did not help.

Incl. the number of the beast? (666)

Yes I used the same tool but back then it was a different version but I remember also copying the certificate.

seth · 2023-10-20 19:39:44

Maybe you should provide an entire log covering the attempt to to load the ca.pem and connect to eudroam:
For the curent boot:

sudo journalctl -b | curl -F 'file=@-' 0x0.st

traceelement · 2023-10-26 11:06:14

Sorry for the late response. Here is the journal:
http://0x0.st/Hyo_.txt

seth · 2023-10-26 14:40:35

Why is the iwd PID < the NM PID?
https://wiki.archlinux.org/title/Networ … Fi_backend

traceelement · 2023-10-27 14:56:02

Okay thanks fixed it. It was a weird mix from having the iwd enabled + somehow i put the certificate in parenthesis and thus could not be loaded. So a working config for me is this:

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@uni-domain
EAP-PEAP-CACert=/var/lib/iwd/ca.pem
EAP-PEAP-ServerDomainMask=uni_radius
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=username@uni-auth-domain
EAP-PEAP-Phase2-Password=password
[Settings]
AutoConnect=true

seth · 2023-10-27 15:05:43

(parenthesis) or "quotes"?
Did the config say

EAP-PEAP-CACert=(/var/lib/iwd/ca.pem)

??

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

traceelement · 2023-11-03 15:16:49

Yeah i meant quotes sorry.

Arch Linux

#1 2023-10-19 09:45:32

[SOLVED] Iwd Failed to load ca.pem

#2 2023-10-19 12:25:52

Re: [SOLVED] Iwd Failed to load ca.pem

#3 2023-10-19 12:47:13

Re: [SOLVED] Iwd Failed to load ca.pem

#4 2023-10-20 12:13:38

Re: [SOLVED] Iwd Failed to load ca.pem

#5 2023-10-20 12:30:03

Re: [SOLVED] Iwd Failed to load ca.pem

#6 2023-10-20 13:06:34

Re: [SOLVED] Iwd Failed to load ca.pem

#7 2023-10-20 13:09:24

Re: [SOLVED] Iwd Failed to load ca.pem

#8 2023-10-20 15:17:47

Re: [SOLVED] Iwd Failed to load ca.pem

#9 2023-10-20 19:39:44

Re: [SOLVED] Iwd Failed to load ca.pem

#10 2023-10-26 11:06:14

Re: [SOLVED] Iwd Failed to load ca.pem

#11 2023-10-26 14:40:35

Re: [SOLVED] Iwd Failed to load ca.pem

#12 2023-10-27 14:56:02

Re: [SOLVED] Iwd Failed to load ca.pem

#13 2023-10-27 15:05:43

Re: [SOLVED] Iwd Failed to load ca.pem

#14 2023-11-03 15:16:49

Re: [SOLVED] Iwd Failed to load ca.pem

Board footer