Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

Bug #1104476 reported by zsolt.ruszinyák on 2013-01-24
This bug affects 247 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
High
Release Notes for Ubuntu
Undecided
Andy Whitcroft
Gentoo Linux
Fix Released
Medium
network-manager (openSUSE)
Confirmed
High
network-manager-applet (Ubuntu)
High
Mathieu Trudel-Lapierre
Saucy
Undecided
Unassigned
Trusty
High
Mathieu Trudel-Lapierre
Utopic
High
Mathieu Trudel-Lapierre

Bug Description

SRU Justification:
[Impact]
When connecting to MPA2/PEAP/MSCHAPv2 wifi networks which do not have a CA Certificate network manager may incorrectly mark the CA certificate as needing verification and fail that verification.

[Test Case]
Attempt to connect to a WPA2/PEAP/MSCHAPv2 network without CA_Certificate using Network Manager

[Regression Potential]
This has been fixed in Utopic already and it a backport of an upstream patch.

--

=== Release Notes Text ===

When connecting to MPA2/PEAP/MSCHAPv2 wifi networks which do not have a CA Certificate network manager may incorrectly mark the CA certificate as needing verification and fail that verification. See the bug for workarounds.

===

I can connect to Eduroam in 12.10 and any other previous release, but not in 13.04. I checked, my name and password are correct, all settings are the same as in 12.10.

Network properties:

security: WPA - WPA2 enterprise
authentication: protected EAP (PEAP)
CA certificate: none
PEAP version: automatic
inner autentication: MSCHAPv2
username: (required)
password: (required)

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
Uname: Linux 3.8.0-1-generic i686
ApportVersion: 2.8-0ubuntu2
Architecture: i386
CasperVersion: 1.330
Date: Thu Jan 24 21:32:25 2013
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
IpRoute:
 default via 192.168.43.1 dev wlan0 proto static
 169.254.0.0/16 dev wlan0 scope link metric 1000
 192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.149 metric 9
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
MarkForUpload: True
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
 WimaxEnabled=true
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con:
 NAME UUID TYPE TIMESTAMP TIMESTAMP-REAL AUTOCONNECT READONLY DBUS-PATH
 AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes no /org/freedesktop/NetworkManager/Settings/2
 Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes no /org/freedesktop/NetworkManager/Settings/1
 eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes no /org/freedesktop/NetworkManager/Settings/0
nmcli-dev:
 DEVICE TYPE STATE DBUS-PATH
 wlan0 802-11-wireless connected /org/freedesktop/NetworkManager/Devices/1
 eth0 802-3-ethernet unavailable /org/freedesktop/NetworkManager/Devices/0
nmcli-nm:
 RUNNING VERSION STATE NET-ENABLED WIFI-HARDWARE WIFI WWAN-HARDWARE WWAN
 running 0.9.7.0 connected enabled enabled enabled enabled disabled

summary: Network manager cannot connect to Eduroam (worldwide WiFi network for
- university students|
+ university students)

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
hepaly (hurezi) wrote :

I have the same problem. I can not connect to wifi network (WPA and WPA2 Enterprise PEAP, MSCHAPv2 +username/password)
The network manager doesn't accept my password. On last week, it worked well. (2013. 03.15.)

The certificate authority is missing. You may want to add it to the configuration in NetworkManager to point to a CA certificate that can be provided to you by your network administrator:

Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxxx'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxx' err='unable to get local issuer certificate'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan 24 21:28:22 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I've noticed this too happening with self-signed certificates in universities. The alternative is to edit the connection file in /etc/NetworkManager/system-connections to remove "system-ca-certs=true".

Changed in network-manager (Ubuntu):
status: Confirmed → Invalid

but why only since 13.04 if it worked fine so far. anyway, I have found something here, it should be the certificate, but I haven't got round to try it myself: http://www.lan.kth.se/eduroam/AddTrust_External_CA_Root.pem does it work for you, hepaly?

hepaly (hurezi) wrote :

Hi Zsolt, This problem affects me, when i try to connect to my office network. We never used certificate authority. The wifi network allows the connection, when I use a specific hostname, and username/password. Ubuntu 12.10 is working well. On last week, the wifi connection was OK on ubuntu 13.04.

hepaly (hurezi) wrote :

I got a certificate file (*.crt) from IT, and the connection is working well (with this cert. file). It is interesting, because the 12.10 works without this file.

Download full text (3.7 KiB)

if it doesn't change, this could mean a serious move-away from ubuntu,
cause I instapped ubuntu to many of my friemds juat because they were
unaboe to connect to eduroam in windows! don't underestimate this, I would
mark this of a very high importanace, being a dev...
On Mar 19, 2013 2:02 PM, "hepaly" <email address hidden> wrote:

> I got a certificate file (*.crt) from IT, and the connection is working
> well (with this cert. file). It is interesting, because the 12.10 works
> without this file.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to Eduroam (worldwide WiFi network for
> university students)
>
> Status in “network-manager” package in Ubuntu:
> Invalid
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE ...

Read more...

Hi Hepaly,
what kind of certificate did you use? googling around I found (here, for example https://admin.kuleuven.be/icts/english/wifi/eduroam-ubuntu) that with the

/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

should work but instead it does not work for me.

alfredo

hepaly (hurezi) wrote :

Here are some screenshots about this issue:
I can connect to office network without using CA certificate file (ubuntu 12.10 live cd):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu12.10_wpa2E.png

Ubuntu 13.04 daily build doesn't accept my password. (using same settings, as ubuntu 12.10):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E.png

But if I use the CA certificate file, what I got from IT guys, then the password validation is OK, and it connects to wifi network.
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E_ok_with_crt.png

Actually it works well using with CA certificate file, but why does the 12.10 work without this file? Is it bug or feature? :)

Changed in network-manager (Ubuntu):
status: Invalid → New

I'm marking this again as new, cause the definition of invalid says that it should be a support request which it is not, because canonical cannot provide support to solve it.

most people don't know what a CA certificate is, so you can't leave it this way, cause they will say, that ubuntu just cannot connect and they are moving back to windows... you have to consider what normal people will think about this.

I've tried all sorts of certificates in the last few days (searching on google people say to use different types of them) but I couldn't make this work. Moreover the Eduroam site says to leave the certificate field empty. I can connect with my telephone with no problems so I'm sure the problem is not related to my account. I'll check if it works with an older ubuntu version asap.

Download full text (3.8 KiB)

I have tries with different certificates (cause my school haven't issued
one) and it didn't work. currently there's no way for us to connect to
eduroam in 13.04.
On Mar 25, 2013 10:50 AM, "Alfredo Buttari" <email address hidden>
wrote:

> I've tried all sorts of certificates in the last few days (searching on
> google people say to use different types of them) but I couldn't make
> this work. Moreover the Eduroam site says to leave the certificate field
> empty. I can connect with my telephone with no problems so I'm sure the
> problem is not related to my account. I'll check if it works with an
> older ubuntu version asap.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to Eduroam (worldwide WiFi network for
> university students)
>
> Status in “network-manager” package in Ubuntu:
> New
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan...

Read more...

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed

Also unable to connect, works well in any Ubuntu version except for 13.04.

gluca (gianluca-carlesso) wrote :

Hi! i have same bug. The problem occurs only in 13.04.

Eduard Gotwig (gotwig) wrote :

I have the same problem.
Very bad.

My college, the b.i.b International College Bergisch Gladbach (www.bg.bib.de) is affected!

In 12.04 it worked perfectly!

summary: - Network manager cannot connect to Eduroam (worldwide WiFi network for
- university students)
+ Network manager cannot connect to WPA/PEAP/MSCHAPv2 network
summary: - Network manager cannot connect to WPA/PEAP/MSCHAPv2 network
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network

If this bug does not get fixed, a whole industry is affected.

This bug has to be critical!

summary: - Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
+ CA_Certificate
Eduard Gotwig (gotwig) wrote :

Sry, I just want to note that removing "system-ca-certs=true" from /etc/NetworkManager/system-connections solved the problem for me!

Eduard Gotwig (gotwig) wrote :

Remove the line that I marked (line 20) , to fix it

This is an example of my NetworkManager profile.

This file is saved under /etc/NetworkManager/system-connections/

with connecting to the wireless point at my college. (www.bg.bib.de)

So it seems the problem is system-ca-certs=true is being added despite Eduard cancelling the request for the cert.

Changed in network-manager (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Download full text (3.6 KiB)

I had no possibilty of testing these days. any progress, guys?
On Apr 9, 2013 11:30 AM, "Brendan Donegan" <email address hidden>
wrote:

> So it seems the problem is system-ca-certs=true is being added despite
> Eduard cancelling the request for the cert.
>
> ** Changed in: network-manager (Ubuntu)
> Importance: Undecided => High
>
> ** Changed in: network-manager (Ubuntu)
> Status: Confirmed => Triaged
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/f...

Read more...

Carl Davis (carl.davis) wrote :

I can confirm that even though I choose ignore on the CA Cert dialog, the line "system-ca-certs=true" was added to system-connections. It works find after I set that to false.

Ryan Yates (ryanyates23) wrote :

Hey, my laptop can't even find eduroam or setup-wifi to even attempt connecting since upgrading to 13.04. How can I go about fixing this?

Download full text (3.6 KiB)

upgrading is not good. try to fire up a usb image and try if it it can
connect in the live mode. the problem is probably with the upgrade. but
first try to connect to a hidden network.
On Apr 17, 2013 5:45 AM, "Ryan Yates" <email address hidden> wrote:

> Hey, my laptop can't even find eduroam or setup-wifi to even attempt
> connecting since upgrading to 13.04. How can I go about fixing this?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/freedesktop/NetworkManager/Dev...

Read more...

Eduard Gotwig (gotwig) wrote :

Ryan: Just read the log on this page...

Pedro Nunes (nunes-p89) wrote :

I am affected too.
Lets hope that on Monday its already fixed! :P

cosmin (wizardelo) wrote :

well i just tried 13.04 on a live-usb and this issue is still there:(
cannot connect to peap without CA, line "system-ca-certs=true" is stil added despite choosing no CA

Matthew Dye (mdye) wrote :

I believe this may be a GNOME problem. When I try it under Kubuntu and KDE, I can connect fine; while in GNOME, I cannot connect to my university (University of Missouri) wifi network.

Ben Hilburn (bhilburn) wrote :

Confirming that this is a really serious issue.

PEAP connection, MSCHAPv2, no certificate but with a username & password, I *cannot* connect to the network. Previous versions of Ubuntu work fine. Indeed, my credentials on another machine running 12.10 work just fine.

Changed in network-manager (Ubuntu):
status: Triaged → Confirmed
mrtrick (patrick-hendrick) wrote :

I can confirm this issue on a Lenovo T510, PEAP, MSCHAPv2, no cert. Switching to LEAP seems to hold fine. Removing system-ca-certs=true did not stabilize my connection at all. I am able to get connected, but drops every few minutes and sometimes will not connect at all.

Fei (feisung) wrote :

Hey Guys, this problem is quite serious!! Excitement in the morning after the upgrade on home wifi then complete dissapointment after 2hrs+ attempting to patch it :(
 Tried just about all that was posted here and was unsuccessful. eduroam and other enterprise wpa networks just don't work anymore. Please supply a quick fix...

DeepJoy (deepjoy) wrote :

Confirmed "system-ca-certs=true" is stil added despite choosing no CA and choosing ignore along with do not warn me again on the popup.

this is the 1. ubuntu release I didn't install right after it came out.
guess why.

and by the way the workarond by Eduard Gotwig from comment #19 sadly
doesn't work here either. the line is always re-added. please explain us
better how u did it cause more people have reported here that it doesn't
work.

Tyler (tyler.h) wrote :

Workaround of removing "system-ca-certs=true" only works temporarily. Next time NetworkManager touches the profile, the line reappears in the profile.

BrunoB (bruno-bak) wrote :

How i got it working:

1. Download the AddTrust External CA Root (Base64 format) available here: http://iss.leeds.ac.uk/helpdesk/eduroam-certificates
2. Double click it and import using Gnome2 Key Storage (require sudo privileges).
3. Go to Network connections (right click con the wi-fi logo on the top right of the screen) and Add a new connection.
4. Name the new connection "eduroam"and have the SSID also "eduroam"
5. Under Wi-fi security choose "WPA 2 enterprise", Authentication: "Proteacted EAP (PEAP)", CA Certificate browse the file you downladed on step 1.
6. Username have your COMPLETE email (include @schoolname.something).
7.include your password.
Save it.
Good luck

Franko Burolo (fburolo) wrote :

Same problem here. And 13.04 really is the first Ubuntu where this doesn't work. And sure it IS critical!
If this is not fixed, Ubuntu will prove useless for most education (students/profs) and business users. And the bug is still unassigned since January?! Come on!

I just can't believe that the swirl direction of the BFB icon was a more important bug than this one... In terms that it was promptly addressed, unlike this one.

vacaloca (ltirado) wrote :

I just wanted to say that comment #19 of removing "system-ca-certs=true" from /etc/NetworkManager/system-connections also worked for me. Actually, what I did was set the statement to false. When I re-started the connection, it worked on the next try.

I also did a sudo chmod -w NUwave after the first time it connected, so that should avoid the statement from reappearing since now the file is read-only. Given the connection name, I'm at Northeastern University, which uses WPA2/PEAP/MSCHAP as well.

From /var/log/syslog upon successful authentication:

May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:21:52 wpa_supplicant[1434]: last message repeated 2 times
May 2 13:21:52 Faraday wpa_supplicant[1434]: EAP-MSCHAPV2: Authentication succeeded

Before the statement was switched to false, syslog showed statements like:

May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:02:59 wpa_supplicant[1483]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu' err='unable to get local issuer certificate'
May 2 13:02:59 wpa_supplicant[1483]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
May 2 13:02:59 wpa_supplicant[1483]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
May 2 13:03:00 wpa_supplicant[1483]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:e7:7b:51 reason=6

Before I had tried this, I had attempted to use the certificate that Windows 7 associated with the same NUwave wireless connection, but I was still unsuccessful at authenticating even with that. The odd thing is that a few weeks back when I tested with an Ubuntu 13.04 Beta 2 USB stick it worked fine, but stopped working at some point, and I re-tested with the USB stick today and it still failed, so at that point I knew it wasn't anything package related and stumbled across this bug and solution which fixed it! :)

Franko Burolo (fburolo) wrote :

The workaround works for me, too. Even without making the file read-only. I connected at my faculty's library in the early afternoon today. But I still think this is a critical issue, that could turn people away from Ubuntu.

It's very interesting what vacalola said about the old unchanged live image working once, and then not... Yet, the fact remains that this works completely fine in both 12.04 and 12.10, and just in 13.04 not.

Fei (feisung) wrote :

I give up... this has just got me switching to another Linux distro! Spent the whole week trying to rebuild my machine just cos of this issue... One year + of Ubuntu Love now to it's brother... Which I should state that wpa-enterprise works at time of writing that is!

Changed in network-manager (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Adolfo Jayme (fitojb) on 2013-08-30
tags: added: saucy
Changed in network-manager:
importance: Unknown → High
status: Unknown → New
Adolfo Jayme (fitojb) on 2013-09-02
tags: added: regression-release
sivamoke (sivamoke-bif) on 2013-09-05
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (mathieu-tl) → nobody
Adolfo Jayme (fitojb) on 2013-09-05
Changed in network-manager (Ubuntu):
assignee: nobody → Network-manager (network-manager)
Sepu (j-jungo) on 2013-09-30
description: updated
Adolfo Jayme (fitojb) on 2013-10-04
tags: added: rls-s-incoming
Changed in network-manager (Ubuntu):
assignee: Network-manager (network-manager) → Mathieu Trudel-Lapierre (mathieu-tl)
tags: removed: rls-s-incoming
Andy Whitcroft (apw) on 2013-10-17
Changed in ubuntu-release-notes:
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
description: updated
Andy Whitcroft (apw) on 2013-10-17
Changed in ubuntu-release-notes:
status: In Progress → Fix Released
tags: added: patch
justin (justi8) on 2013-10-27
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (mathieu-tl) → justin (justi8)
Adolfo Jayme (fitojb) on 2013-10-27
Changed in network-manager (Ubuntu):
assignee: justin (justi8) → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager:
status: New → Confirmed
Changed in network-manager:
status: Confirmed → Fix Released
Changed in gentoo:
importance: Unknown → High
status: Unknown → New
Changed in gentoo:
importance: High → Medium
Changed in network-manager (openSUSE):
importance: Unknown → High
status: Unknown → Confirmed
Changed in gentoo:
status: New → Fix Released
124 comments hidden view all 204 comments
Albert Pool (albertpool) wrote :

Linux Mint has implemented the upstream fix for system-ca-certs in their repository packages which can be found at http://packages.linuxmint.com/pool/upstream/n/network-manager-applet/

You can install these DEBs on Ubuntu 14.04 too (since Linux Mint 17 is based on Ubuntu 14.04), then remove the connection and add it again; system-ca-certs will not appear then if you click ignore when you're asked to choose a certificate.

With Mint 17 I am able to connect to Eduroam out-of-the-box, I just have to choose PEAP as authentication method and enter my details.

This can be fixed in backporting a commit; I'll upload a fixed package to utopic shortly, then we can look into a SRU for the change.

affects: network-manager (Ubuntu) → network-manager-applet (Ubuntu)
Changed in network-manager-applet (Ubuntu):
status: Triaged → In Progress

Saucy will be EOL in about a month; unless somebody says otherwise, I think I'd rather spend the time to provide the fix in the other releases that are still supported -- people still on 13.10 should consider upgrading to 14.04 as soon as possible, which should generally be a good idea for all the other bug fixes that would come with it.

If it's really needed, I can provide packages in a PPA, but for now I'll just close the Saucy / 13.10 task as Won't Fix.

Other releases will still get the updates when they are tested.

Changed in network-manager-applet (Ubuntu Saucy):
status: New → Won't Fix
Changed in network-manager-applet (Ubuntu Precise):
status: New → Triaged
Changed in network-manager-applet (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Changed in network-manager-applet (Ubuntu Precise):
importance: Undecided → Medium
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager-applet (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-applet - 0.9.8.8-0ubuntu7

---------------
network-manager-applet (0.9.8.8-0ubuntu7) utopic; urgency=medium

  * debian/patches/git_revert_system_ca_cert.patch: don't require system CA
    certs to validate the wireless AP certs if the user chooses not to supply
    a certificate. (LP: #1104476)
 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 11 Jun 2014 15:29:36 -0400

Changed in network-manager-applet (Ubuntu Utopic):
status: In Progress → Fix Released
Vincent Gerris (vgerris) wrote :

This bug still affects me with current updates.
I had to change /etc/NetworkManager/system-connections/network-ssid
the line system-ca-cert=true
to system-ca-cert=false
Then restart the network and it works.

Yes, this fix will not change connections that have already been created, it will only not set system-ca-cert for new connections.

Adolfo Jayme (fitojb) wrote :

This bug appeared in Raring, Precise is not affected by it.

no longer affects: network-manager-applet (Ubuntu Precise)
Felix (felix-daniel-perez) wrote :

Hi All:

Same bug in 14.04 .Is a headache the network manager with this type of authentication!!

My organization dont use a cert to authenticate to the network, use password, so, is a big problem to connect!

Br

Felix

Boris Hollas (borish) wrote :

Eduroam works for me with Ubuntu 14.04 as of today if I use the installer provided by Eduroam. Your institution should provide a link to this installer, which retrieves and stores the appropriate CA-certs and creates an entry for network-manager.

Hello zsolt.ruszinyák, or anyone else affected,

Accepted network-manager-applet into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/network-manager-applet/0.9.8.8-0ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

description: updated
Changed in network-manager-applet (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-applet (Ubuntu Raring):
status: New → Confirmed
Adolfo Jayme (fitojb) on 2014-07-25
no longer affects: network-manager-applet (Ubuntu Raring)
Adolfo Jayme (fitojb) wrote :

Version 0.9.8.8-0ubuntu4.3 in trusty-proposed works here.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-applet - 0.9.8.8-0ubuntu4.3

---------------
network-manager-applet (0.9.8.8-0ubuntu4.3) trusty-proposed; urgency=medium

  * debian/patches/git_revert_system_ca_cert.patch: don't require system CA
    certs to validate the wireless AP certs if the user chooses not to supply
    a certificate. (LP: #1104476)
 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 07 Jul 2014 11:11:52 -0400

Changed in network-manager-applet (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for network-manager-applet has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Aang (aang-aero) wrote :

Downloaded latest gnome-network-manager update from repository on Ubuntu 14.04 64bit - I am now able to connect with a CA Certificate :-) - issue appears to be resolved on Ubuntu 14.04

Franko Burolo (fburolo) wrote :

Except that this bug report is about the impossibility to connect WITHOUT a CA certificate...

Aang (aang-aero) wrote :

My apologies for the typo, I meant "without" - so the corrected version:

Downloaded latest gnome-network-manager update from repository on Ubuntu 14.04 64bit - I am now able to connect without a CA Certificate :-) - issue appears to be resolved on Ubuntu 14.04

Update:
I am being prompted for the WiFi password on the network without the CA Certificate every time I power on the computer, but once I enter the password it connects. This behavior only occurs on boot up; recovering from suspend has no issues.

Once again, my apologies for the typo on post #179 :-\

Aravind Pogu (aravind-pogu) wrote :

Hi All,

I have installed Ubuntu 14.04 in my system recently on Oct 7th. I still have this problem to connect to my University network.

I have tried the work around mentioned in the thread to remove system-ca-cert=true from the my connection SSID. But, I could not even find that line. I even restarted the Network Manager several times.

Please help !!

Thanks,
Aravind

Albert Pool (albertpool) wrote :

Aravind,

That line is already deleted if you add the connection with the latest updates to NetworkManager installed.

If you're still having trouble, probably the wrong authentication type is set in the wifi security settings. Default is TTLS, but at least my university (Utrecht University, NL) needs PEAP here for its Eduroam network. The inner authentication is MSCHAPv2 but I think that was right by default.
Settings may be different at your university but I think it's certainly worth giving it a try.
When you are asked for the certificate, choose to ignore it (unless you know which one to specify).

Future questions about this are better asked on a forum instead. This is a closed bug.

Pablo Cabrera (pablo-rocka) wrote :

@Aang (aang-aero)

I managed to get rid of the password prompt by adding the password in the [802-1x] section of the connection file:

in the /etc/NetworkManager/system-connections/YOURSSID

Edit the section:
[802-1x]
eap=peap;
identity=YOURUSERNAME
phase2-auth=mschapv2
password=YOURPASSWORDUNENCRYPTED

and it worked for me. No more accept certificate or password prompty dialog.

This bug is still persistent for me in 14.10.

Albert Pool (albertpool) wrote :

As I said already, 14.10 has another problem.
Go to Network Settings or Network Connections, edit the Eduroam connection, and go to the WiFi Security tab.
Here set the authentication type to Protected EAP instead of the default Tunneled TLS which is wrong for eduroam, at least on my university.

It is unrelated to this bug so feel free to open a new bug for it, if you did not need to do this in past releases of Ubuntu.

natheo (natheo) wrote :

I have the bug since yesterday, just after I reinstall Ubuntu 14.04. Before it has never happened.

I have the bug too.
Maybe is related to the network interface.

Network controller: Realtek Semiconductor Co., Ltd. RTL8188CE 802.11b/g/n WiFi Adapter (rev 01)

philipballew (philipballew) wrote :

Is there a bug report for this issue happening in 14.10 as well? I see that as #186 pointed out, this is a different problem, is there a bug report for it? If not, I will go ahead and create one.

Albert Pool (albertpool) wrote :

@philipballew I'm not aware of another bug report, and don't have time to look for one at present. I'm a Linux Mint user myself; Cinnamon has its own issues with Eduroam. besides, there is no 14.10 based Linux Mint at present, so the 14.10 problems don't really affect me.
What I said in #186 was how a friend with Ubuntu on a Mac, got eduroam working.

Vincent Gerris (vgerris) wrote :

since a few days I suddenly have issues again connecting to PEAP based wifi again.
Keep having a popup. Above options did not work.
Intel 7260 card.
not only that, but the ignore option still does not work in the GUI.

Franko Burolo (fburolo) wrote :

A few days ago, I couln't connect to my faculty's PAP network, either... I thought it was a problem on their side, as they tend to have them every so often. But now with Vincent's message... I don't know. It may be a new bug in NetworkManager?
I haven't been to my faculty with my laptop since then to see if the problem still persists... I'll probably be there again on Monday, so I can re-check.

Vincent Gerris (vgerris) wrote :

I thought for me it was a password change, but I tested another laptop with Fedora and that just works.
So it seems like a bug in Ubuntu at least.
Not sure if it is the same, but I hope someone will pick this up and fix it.
This is another big risk for losing users.
Happy to test any fixed packages....

Franko Burolo (fburolo) wrote :

I was today at the faculty again, and I still couldn't connect to the network with my Ubuntu Vivid laptop, but my Android phone could. As this is only happening since very recently, it sounds like a bug in Ubuntu to me, too. And it is probably a regression, since this was working perfectly before, always on Vivid. I have recently got this laptop, and Vivid is the first, and still the only OS ever used on it.
Except that in my case, nothing ever pops up. It is just trying to connect forever. But if it is a new bug, we should open a new report.

Franko Burolo (fburolo) wrote :

Today I tried to delete that connection and set it up again. Still no dice, but now the issue looks exactly as Vincent describes it. :-D After some seconds of not being able to connect, a window pops up asking my username and password. Both Are correct, I multi-checked it, but it just won't connect.

Martin (w-martin-h) wrote :

Wow, ... 15.04 and I face the problem again.
One can also work around this with a wpa_supplicant.conf.
It actually works like a charm, i.e. https://www.rz.uni-osnabrueck.de/dienste/internet/wlan/eduroam/Linux/linux.htm

Same on my PC running Vivid (3.19.0-22, BCM4313), both with certificate added and ignored. Thanks for the workaround, though.

Steve (dday246) wrote :

I can't connect to my campus WiFi either on Ubuntu 14.04 I can connect on my iPhone, home, and coffee shop networks but not at school. My IT guy at school couldn't fix it and he runs Ubuntu. I don't want any workarounds or some Micky Mouse bullshit. I want a simple one click update that resolves the issue. I can't even add a printer at home and now this. I'm about to go back to windows if this isn't resolved with an update. I'm glad I decided not to donate any money to this company. I suppose my dad was right when he said despise the free lunch.

Vincent Gerris (vgerris) wrote :

Hi Steve,

Ubuntu is a project mostly led by people in their free time.
While I agree that this is an annoying bug, your remarks are a bit blunt when it comes to respecting people's hard work.
How about you be happy with what IS working and try to contribute to a solution?
Feel free to code yourself, after all it is open source.
If you like to go back to a proprietary operating systems that has closed source drivers that crash and cannot be fixed it all, why not go for it?
If you don't like Ubuntu, try something else. I do not have the issue on Fedora.
Can't add a printer? Look in the fora, I never had any problem for the last 8 years with any printer and like with Windows some (most not) need a driver.

Last but not least, I agree with Steve that this issue should be fixed.
Can anyone suggest what we should to ?

I would suggest people having this bug to open new bug reports with as much details of their systems as they can provide. If the issue are really duplicates of this one, the new bug reports can be duplicated to this one later. I'm connecting with Eduroam networks with 3 different laptops (two with Ubuntu 14.04 and one with Ubuntu 15.10) with no issues, so I think people being hit by this bug are being affected by a combination of software and own hardware particularities.

Franko Burolo (fburolo) wrote :

As I said before, on my Toshiba laptop with Qualcomm Atheros WiFi and Ubuntu Vivid 64 it worked brilliantly at first (and still it does on a non-updated live media), but it stopped working, probably after who-knows what update, which is why I don't believe it is a hardware issue.
That said, I do agree with Walter, we should open a new bug report for this one. I would do it myself, but for now the only place where I can test this is my university, which, if everything goes well, I am finishing next week, when I'll be giving my MA thesis presentation. So, ATM I am kinda busy preparing for that, and once that's done, my access credentials for the uni network will soon be cancelled, and I won't be able to contribute any test reports. So I concluded it would be pretty useless for me to open it.

And then about Steve... :-D I have worked in hotels and restaurants, and I know very well what special extra spices some customers get, including those who "despise the free lunch". So go on, enjoy your expensive all-served meal. It certainly does have that something extra. ;-)

Vincent Gerris (vgerris) wrote :

Created a new bug : https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1473088
Please put your info there, thank you.

Martin (w-martin-h) wrote :

Jiminy crickets, kernel upgrade to 3.19.0-23 and EDUROAM is picking up again!

Geir Ola (geir-f) wrote :

Have anyone found a functional workaround? Other than the one described above? I don't have the proper knowledge to implement the one above.
Are able to create files and edit with nano if told exactly where to do so.
Running Ubuntu Mate 15.04 - 3.18.0-25rpi2 - Mate 1.8.2 on a Raspberry Pi 2.

Displaying first 40 and last 40 comments. View all 204 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.