Ubuntu

Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

Reported by zsolt.ruszinyák on 2013-01-24
878
This bug affects 192 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
High
Release Notes for Ubuntu
Undecided
Andy Whitcroft
Gentoo Linux
Fix Released
Medium
network-manager (Ubuntu)
High
Mathieu Trudel-Lapierre
Nominated for Raring by Adolfo Jayme
Nominated for Saucy by Adolfo Jayme
network-manager (openSUSE)
Confirmed
High

Bug Description

=== Release Notes Text ===

When connecting to MPA2/PEAP/MSCHAPv2 wifi networks which do not have a CA Certificate network manager may incorrectly mark the CA certificate as needing verification and fail that verification. See the bug for workarounds.

===

I can connect to Eduroam in 12.10 and any other previous release, but not in 13.04. I checked, my name and password are correct, all settings are the same as in 12.10.

Network properties:

security: WPA - WPA2 enterprise
authentication: protected EAP (PEAP)
CA certificate: none
PEAP version: automatic
inner autentication: MSCHAPv2
username: (required)
password: (required)

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
Uname: Linux 3.8.0-1-generic i686
ApportVersion: 2.8-0ubuntu2
Architecture: i386
CasperVersion: 1.330
Date: Thu Jan 24 21:32:25 2013
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
IpRoute:
 default via 192.168.43.1 dev wlan0 proto static
 169.254.0.0/16 dev wlan0 scope link metric 1000
 192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.149 metric 9
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
MarkForUpload: True
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
 WimaxEnabled=true
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con:
 NAME UUID TYPE TIMESTAMP TIMESTAMP-REAL AUTOCONNECT READONLY DBUS-PATH
 AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes no /org/freedesktop/NetworkManager/Settings/2
 Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes no /org/freedesktop/NetworkManager/Settings/1
 eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes no /org/freedesktop/NetworkManager/Settings/0
nmcli-dev:
 DEVICE TYPE STATE DBUS-PATH
 wlan0 802-11-wireless connected /org/freedesktop/NetworkManager/Devices/1
 eth0 802-3-ethernet unavailable /org/freedesktop/NetworkManager/Devices/0
nmcli-nm:
 RUNNING VERSION STATE NET-ENABLED WIFI-HARDWARE WIFI WWAN-HARDWARE WWAN
 running 0.9.7.0 connected enabled enabled enabled enabled disabled

summary: Network manager cannot connect to Eduroam (worldwide WiFi network for
- university students|
+ university students)

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
hepaly (hurezi) wrote :

I have the same problem. I can not connect to wifi network (WPA and WPA2 Enterprise PEAP, MSCHAPv2 +username/password)
The network manager doesn't accept my password. On last week, it worked well. (2013. 03.15.)

The certificate authority is missing. You may want to add it to the configuration in NetworkManager to point to a CA certificate that can be provided to you by your network administrator:

Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxxx'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxx' err='unable to get local issuer certificate'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan 24 21:28:22 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I've noticed this too happening with self-signed certificates in universities. The alternative is to edit the connection file in /etc/NetworkManager/system-connections to remove "system-ca-certs=true".

Changed in network-manager (Ubuntu):
status: Confirmed → Invalid

but why only since 13.04 if it worked fine so far. anyway, I have found something here, it should be the certificate, but I haven't got round to try it myself: http://www.lan.kth.se/eduroam/AddTrust_External_CA_Root.pem does it work for you, hepaly?

hepaly (hurezi) wrote :

Hi Zsolt, This problem affects me, when i try to connect to my office network. We never used certificate authority. The wifi network allows the connection, when I use a specific hostname, and username/password. Ubuntu 12.10 is working well. On last week, the wifi connection was OK on ubuntu 13.04.

hepaly (hurezi) wrote :

I got a certificate file (*.crt) from IT, and the connection is working well (with this cert. file). It is interesting, because the 12.10 works without this file.

Download full text (3.7 KiB)

if it doesn't change, this could mean a serious move-away from ubuntu,
cause I instapped ubuntu to many of my friemds juat because they were
unaboe to connect to eduroam in windows! don't underestimate this, I would
mark this of a very high importanace, being a dev...
On Mar 19, 2013 2:02 PM, "hepaly" <email address hidden> wrote:

> I got a certificate file (*.crt) from IT, and the connection is working
> well (with this cert. file). It is interesting, because the 12.10 works
> without this file.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to Eduroam (worldwide WiFi network for
> university students)
>
> Status in “network-manager” package in Ubuntu:
> Invalid
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE ...

Read more...

Hi Hepaly,
what kind of certificate did you use? googling around I found (here, for example https://admin.kuleuven.be/icts/english/wifi/eduroam-ubuntu) that with the

/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

should work but instead it does not work for me.

alfredo

hepaly (hurezi) wrote :

Here are some screenshots about this issue:
I can connect to office network without using CA certificate file (ubuntu 12.10 live cd):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu12.10_wpa2E.png

Ubuntu 13.04 daily build doesn't accept my password. (using same settings, as ubuntu 12.10):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E.png

But if I use the CA certificate file, what I got from IT guys, then the password validation is OK, and it connects to wifi network.
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E_ok_with_crt.png

Actually it works well using with CA certificate file, but why does the 12.10 work without this file? Is it bug or feature? :)

Changed in network-manager (Ubuntu):
status: Invalid → New

I'm marking this again as new, cause the definition of invalid says that it should be a support request which it is not, because canonical cannot provide support to solve it.

most people don't know what a CA certificate is, so you can't leave it this way, cause they will say, that ubuntu just cannot connect and they are moving back to windows... you have to consider what normal people will think about this.

I've tried all sorts of certificates in the last few days (searching on google people say to use different types of them) but I couldn't make this work. Moreover the Eduroam site says to leave the certificate field empty. I can connect with my telephone with no problems so I'm sure the problem is not related to my account. I'll check if it works with an older ubuntu version asap.

Download full text (3.8 KiB)

I have tries with different certificates (cause my school haven't issued
one) and it didn't work. currently there's no way for us to connect to
eduroam in 13.04.
On Mar 25, 2013 10:50 AM, "Alfredo Buttari" <email address hidden>
wrote:

> I've tried all sorts of certificates in the last few days (searching on
> google people say to use different types of them) but I couldn't make
> this work. Moreover the Eduroam site says to leave the certificate field
> empty. I can connect with my telephone with no problems so I'm sure the
> problem is not related to my account. I'll check if it works with an
> older ubuntu version asap.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to Eduroam (worldwide WiFi network for
> university students)
>
> Status in “network-manager” package in Ubuntu:
> New
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan...

Read more...

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed

Also unable to connect, works well in any Ubuntu version except for 13.04.

gluca (gianluca-carlesso) wrote :

Hi! i have same bug. The problem occurs only in 13.04.

Eduard Gotwig (gotwig) wrote :

I have the same problem.
Very bad.

My college, the b.i.b International College Bergisch Gladbach (www.bg.bib.de) is affected!

In 12.04 it worked perfectly!

summary: - Network manager cannot connect to Eduroam (worldwide WiFi network for
- university students)
+ Network manager cannot connect to WPA/PEAP/MSCHAPv2 network
summary: - Network manager cannot connect to WPA/PEAP/MSCHAPv2 network
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network

If this bug does not get fixed, a whole industry is affected.

This bug has to be critical!

summary: - Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
+ CA_Certificate
Eduard Gotwig (gotwig) wrote :

Sry, I just want to note that removing "system-ca-certs=true" from /etc/NetworkManager/system-connections solved the problem for me!

Eduard Gotwig (gotwig) wrote :

Remove the line that I marked (line 20) , to fix it

This is an example of my NetworkManager profile.

This file is saved under /etc/NetworkManager/system-connections/

with connecting to the wireless point at my college. (www.bg.bib.de)

So it seems the problem is system-ca-certs=true is being added despite Eduard cancelling the request for the cert.

Changed in network-manager (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Download full text (3.6 KiB)

I had no possibilty of testing these days. any progress, guys?
On Apr 9, 2013 11:30 AM, "Brendan Donegan" <email address hidden>
wrote:

> So it seems the problem is system-ca-certs=true is being added despite
> Eduard cancelling the request for the cert.
>
> ** Changed in: network-manager (Ubuntu)
> Importance: Undecided => High
>
> ** Changed in: network-manager (Ubuntu)
> Status: Confirmed => Triaged
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/f...

Read more...

Carl Davis (carl.davis) wrote :

I can confirm that even though I choose ignore on the CA Cert dialog, the line "system-ca-certs=true" was added to system-connections. It works find after I set that to false.

Ryan Yates (ryanyates23) wrote :

Hey, my laptop can't even find eduroam or setup-wifi to even attempt connecting since upgrading to 13.04. How can I go about fixing this?

Download full text (3.6 KiB)

upgrading is not good. try to fire up a usb image and try if it it can
connect in the live mode. the problem is probably with the upgrade. but
first try to connect to a hidden network.
On Apr 17, 2013 5:45 AM, "Ryan Yates" <email address hidden> wrote:

> Hey, my laptop can't even find eduroam or setup-wifi to even attempt
> connecting since upgrading to 13.04. How can I go about fixing this?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/freedesktop/NetworkManager/Dev...

Read more...

Eduard Gotwig (gotwig) wrote :

Ryan: Just read the log on this page...

Pedro Nunes (nunes-p89) wrote :

I am affected too.
Lets hope that on Monday its already fixed! :P

cosmin (wizardelo) wrote :

well i just tried 13.04 on a live-usb and this issue is still there:(
cannot connect to peap without CA, line "system-ca-certs=true" is stil added despite choosing no CA

Matthew Dye (mdye) wrote :

I believe this may be a GNOME problem. When I try it under Kubuntu and KDE, I can connect fine; while in GNOME, I cannot connect to my university (University of Missouri) wifi network.

Ben Hilburn (bhilburn) wrote :

Confirming that this is a really serious issue.

PEAP connection, MSCHAPv2, no certificate but with a username & password, I *cannot* connect to the network. Previous versions of Ubuntu work fine. Indeed, my credentials on another machine running 12.10 work just fine.

Changed in network-manager (Ubuntu):
status: Triaged → Confirmed
mrtrick (patrick-hendrick) wrote :

I can confirm this issue on a Lenovo T510, PEAP, MSCHAPv2, no cert. Switching to LEAP seems to hold fine. Removing system-ca-certs=true did not stabilize my connection at all. I am able to get connected, but drops every few minutes and sometimes will not connect at all.

Fei (feisung) wrote :

Hey Guys, this problem is quite serious!! Excitement in the morning after the upgrade on home wifi then complete dissapointment after 2hrs+ attempting to patch it :(
 Tried just about all that was posted here and was unsuccessful. eduroam and other enterprise wpa networks just don't work anymore. Please supply a quick fix...

DeepJoy (deepjoy) wrote :

Confirmed "system-ca-certs=true" is stil added despite choosing no CA and choosing ignore along with do not warn me again on the popup.

this is the 1. ubuntu release I didn't install right after it came out.
guess why.

and by the way the workarond by Eduard Gotwig from comment #19 sadly
doesn't work here either. the line is always re-added. please explain us
better how u did it cause more people have reported here that it doesn't
work.

Tyler (tyler.h) wrote :

Workaround of removing "system-ca-certs=true" only works temporarily. Next time NetworkManager touches the profile, the line reappears in the profile.

BrunoB (bruno-bak) wrote :

How i got it working:

1. Download the AddTrust External CA Root (Base64 format) available here: http://iss.leeds.ac.uk/helpdesk/eduroam-certificates
2. Double click it and import using Gnome2 Key Storage (require sudo privileges).
3. Go to Network connections (right click con the wi-fi logo on the top right of the screen) and Add a new connection.
4. Name the new connection "eduroam"and have the SSID also "eduroam"
5. Under Wi-fi security choose "WPA 2 enterprise", Authentication: "Proteacted EAP (PEAP)", CA Certificate browse the file you downladed on step 1.
6. Username have your COMPLETE email (include @schoolname.something).
7.include your password.
Save it.
Good luck

Franko Burolo (fburolo) wrote :

Same problem here. And 13.04 really is the first Ubuntu where this doesn't work. And sure it IS critical!
If this is not fixed, Ubuntu will prove useless for most education (students/profs) and business users. And the bug is still unassigned since January?! Come on!

I just can't believe that the swirl direction of the BFB icon was a more important bug than this one... In terms that it was promptly addressed, unlike this one.

vacaloca (ltirado) wrote :

I just wanted to say that comment #19 of removing "system-ca-certs=true" from /etc/NetworkManager/system-connections also worked for me. Actually, what I did was set the statement to false. When I re-started the connection, it worked on the next try.

I also did a sudo chmod -w NUwave after the first time it connected, so that should avoid the statement from reappearing since now the file is read-only. Given the connection name, I'm at Northeastern University, which uses WPA2/PEAP/MSCHAP as well.

From /var/log/syslog upon successful authentication:

May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:21:52 wpa_supplicant[1434]: last message repeated 2 times
May 2 13:21:52 Faraday wpa_supplicant[1434]: EAP-MSCHAPV2: Authentication succeeded

Before the statement was switched to false, syslog showed statements like:

May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:02:59 wpa_supplicant[1483]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu' err='unable to get local issuer certificate'
May 2 13:02:59 wpa_supplicant[1483]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
May 2 13:02:59 wpa_supplicant[1483]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
May 2 13:03:00 wpa_supplicant[1483]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:e7:7b:51 reason=6

Before I had tried this, I had attempted to use the certificate that Windows 7 associated with the same NUwave wireless connection, but I was still unsuccessful at authenticating even with that. The odd thing is that a few weeks back when I tested with an Ubuntu 13.04 Beta 2 USB stick it worked fine, but stopped working at some point, and I re-tested with the USB stick today and it still failed, so at that point I knew it wasn't anything package related and stumbled across this bug and solution which fixed it! :)

Franko Burolo (fburolo) wrote :

The workaround works for me, too. Even without making the file read-only. I connected at my faculty's library in the early afternoon today. But I still think this is a critical issue, that could turn people away from Ubuntu.

It's very interesting what vacalola said about the old unchanged live image working once, and then not... Yet, the fact remains that this works completely fine in both 12.04 and 12.10, and just in 13.04 not.

Fei (feisung) wrote :

I give up... this has just got me switching to another Linux distro! Spent the whole week trying to rebuild my machine just cos of this issue... One year + of Ubuntu Love now to it's brother... Which I should state that wpa-enterprise works at time of writing that is!

Changed in network-manager (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
tags: added: saucy
Changed in network-manager:
importance: Unknown → High
status: Unknown → New
tags: added: regression-release
sivamoke (sivamoke-bif) on 2013-09-05
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (mathieu-tl) → nobody
Changed in network-manager (Ubuntu):
assignee: nobody → Network-manager (network-manager)
Sepu (j-jungo) on 2013-09-30
description: updated
tags: added: rls-s-incoming
Changed in network-manager (Ubuntu):
assignee: Network-manager (network-manager) → Mathieu Trudel-Lapierre (mathieu-tl)
tags: removed: rls-s-incoming
Andy Whitcroft (apw) on 2013-10-17
Changed in ubuntu-release-notes:
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
description: updated
Andy Whitcroft (apw) on 2013-10-17
Changed in ubuntu-release-notes:
status: In Progress → Fix Released
tags: added: patch
65 comments hidden view all 145 comments
Henri Souchay (imagez) wrote :

Same thing, happened when "upgrading" to 13.04 after using 12.10 flawlessly. Corporate network.

The system-ca-certs=false trick does not work. NetworkManager keeps updating the file in /etc/NetworkManager/system-connections/, even though I set R-only access -- it will change it back to RW access.

Colleagues can connect to wifi with their Android phones, I cannot with Ubuntu: it just looks incompetent... Arrrgh, i'll have to move back to Windows...

Boris Hollas (borish) wrote :

This is what the log shows.

Pritam Baral (pritambaral) wrote :

PPA announce!
https://launchpad.net/~pritambaral/+archive/nms

Considering the time it has taken, and may take, for the devs to review/accept the patch and/or release a fix, I have been driven to release a personal package archive. This was inevitable for me persoannly, since my Uni is about to launch a campus wide EAPOL and

It builds on the standard Ubuntu raring package. Saucy will be added in a few hours.

@All affected users: feel free to use it

@32-bit users: build will finish in a few minutes.

Henri Souchay (imagez) wrote :

Chhatoi, thanks for sharing.
First thing this morning I did install your update, which clearly shows the check box "system CA certificates"; unfortunately it still failed authentication:

NetworkManager[6785]: <info> (eth3): supplicant interface state: associating -> associated
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure Certificate Authority'
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure Certificate Authority'
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='(... skipping info that seems proper to my business...)'
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Hope others have more luck, maybe I'm just dealing with the wrong issue.

Pritam Baral (pritambaral) wrote :
Download full text (5.0 KiB)

Henri, you are indeed facing a different issue. Most likely incorrect
credentials.

When system-ca-certs is on, wpa_supplicant complains of a self-signed
certificate and stops right there. With a proper corresponding mesage of
course. And this one definitely isn't that.

I have seen this whenever I put in the wrong credentials.

Regards,
Chhatoi Pritam Baral
On Oct 24, 2013 2:21 AM, "Henri Souchay" <email address hidden> wrote:

> Chhatoi, thanks for sharing.
> First thing this morning I did install your update, which clearly shows
> the check box "system CA certificates"; unfortunately it still failed
> authentication:
>
> NetworkManager[6785]: <info> (eth3): supplicant interface state:
> associating -> associated
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0
> method=25
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25
> (PEAP) selected
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1
> subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure
> Certificate Authority'
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1
> subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure
> Certificate Authority'
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='(...
> skipping info that seems proper to my business...)'
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
>
> Hope others have more luck, maybe I'm just dealing with the wrong issue.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in NetworkManager:
> New
> Status in Release Notes for Ubuntu:
> Fix Released
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> === Release Notes Text ===
>
> When connecting to MPA2/PEAP/MSCHAPv2 wifi networks which do not have
> a CA Certificate network manager may incorrectly mark the CA
> certificate as needing verification and fail that verification. See
> the bug for workarounds.
>
> ===
>
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> ...

Read more...

@Chhatoi Pritam Baral
Thanks for building a fix for this issue, I know I appreciate it. I do have a question though. I can't seem to get the package through apt-get. I put the ppa into my repositories, but when I do sudo apt-get install network-manager-applet it can't find it (am I using the wrong package name?) I feel so close to finally being able to getting wifi working that it really sucks not to be able to get the package.

Harry (harryscells) wrote :

@Austin DeWolfe
Try using:

sudo apt-get update
sudo apt-get upgrade

should update the packages affected

Pritam Baral (pritambaral) wrote :

>
> sudo apt-get update
> sudo apt-get upgrade
>
> should update the packages affected

Yup, that should do it!
But for people looking to upgrade this single package only, and not their
whole system, or others like Austin, the package name is:

network-manager-gnome

Odd. I know. Caught me off-guard when I first set out too.

justin (justi8) on 2013-10-27
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (mathieu-tl) → justin (justi8)
Changed in network-manager (Ubuntu):
assignee: justin (justi8) → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager:
status: New → Confirmed
Ben Lutgens (blutgens-gmail) wrote :

This problem still persists to this day. Setting system-ca-certs=false does not work, you have to comment it out or remove it. There needs to be an option in network manager UI to allow users to disable the requirement on system-ca-cert and it should be included in the dialogue that prompts you for a ca along with the "Don't remind me again" or "ignore this" (e.g. setting it to ignore should unset or remove that line from the connection configuration.

Pritam Baral (pritambaral) wrote :

@Ben: You can use the PPA I posted which does exactly that. An option in
the UI that is disabled by default.

@Ubuntu devs: Upstream is debating turning system-ca-certs off completely.
Basically, reverting the commit which started this debacle without any
regard to end-user usability. There are some very good discussions,
including from people deploying 802.1X in the field, on why system-ca-certs
is completely useless.

Changed in network-manager:
status: Confirmed → Fix Released
osmeest (osmeest) wrote :

Added the PPA specified by @pritambaral in saucy.
When running apt-get update, it complains that it doesn't find
https://launchpad.net/~pritambaral/+archive/nms/dists/saucy/main/binary-amd64/Packages

Any chance to get the gnome network manager update for 64b Saucy from there ?
Or from somewhere else ?

Thanks.

osmeest (osmeest) wrote :

Forget my last comment, if you use the ppa: link, it works much better:
ppa:pritambaral/nms

Thanks again for providing this much wanted patch.

Ingo Keck (ingokeck) wrote :

This is actually a big problem for two reasons:

(1) The user does not get the correct feedback to the problem: Instead of a notice that the certificate not trusted, he/she is just asked again and again and again for the correct username and password.
(2) Encouraging people to trust in central certificates and not in self signed ones plays in the hands of NSA and everyone how depends on man-in-the-middle attacs. People should be encouraged to trust only in certificates they know are correct and be allowed to do so, instead of forcing them to only accept 'officially' signed certificates .

(still existing in ubuntu 13.10. , btw)

Neil Broadley (scaine) wrote :

Is there something broken in Ubuntu's update process that a PPA had to be created (many thanks for that Pritam!) for this? I've just tried a fresh 13.10, it still has this problem, despite "Fix released". So what does "Fix released" mean? Released for the next version of Ubuntu? Would I have gotten the fix if I'd turned on "Proposed"?

So yeah - thanks again for the PPA. At least that works.

Pritam Baral (pritambaral) wrote :

@Neil: Note that this bug is actually three bugs. More precisely, this is
tracking the status of the same bug in three different projects. And the
top one is gnome (upstream.) The most recent "Fix released" refers to
gnome. It takes a while for upstream changes to be reflected in a stable
distro (Ubuntu), especially if it has to be backported (since upstream is
usually a little ahead of stable).

Note that one of the projects is just "Release Notes".

I created the PPA because I realized Ubuntu did/would not consider this bug
to be important enough to warrant a feature-change in two stable releases.
I do not think that's wrong on their part, although I'm confident they'd
see the fix harmless (from a stability POV) if they notice it.

I think uploading packages to -proposed is only for Ubuntu maintainers.
Here's some more on that matter:
http://askubuntu.com/questions/49691/what-is-the-proposed-repository

C Filorux (breakfast) wrote :

Confirmed still unfixed on 13.10 ... WPA+EAP or Linux: pick one.

Ingo Keck (ingokeck) wrote :

just coming in: Google found french office spying with CA signed intermediate certificate: https://code.google.com/p/chromium/issues/detail?id=326787 and http://www.heise.de/newsticker/meldung/Google-erwischt-franzoesische-Behoerde-beim-Schnueffeln-2062479.html

So please stop requesting CA signed certificates!

Alex Nekrasov (ennnot) wrote :
Download full text (3.5 KiB)

I'm having the same problem.

I do NOT have system-ca-certs in the NetworkManager connection file. I turned off power saving and ipv6. Still get

Dec 19 23:57:06 desktop kernel: [ 110.811108] wlan0: send auth to 00:19:cb:58:f6:b9 (try 1/3)
Dec 19 23:57:06 desktop kernel: [ 110.813360] wlan0: authenticated
Dec 19 23:57:06 desktop kernel: [ 110.813531] rt2800usb 2-1.5:1.0 wlan0: disabling HT as WMM/QoS is not supported by the AP
Dec 19 23:57:06 desktop kernel: [ 110.813536] rt2800usb 2-1.5:1.0 wlan0: disabling VHT as WMM/QoS is not supported by the AP
Dec 19 23:57:06 desktop kernel: [ 110.813718] wlan0: associate with 00:19:cb:58:f6:b9 (try 1/3)
Dec 19 23:57:06 desktop NetworkManager[935]: <info> (wlan0): supplicant interface state: authenticating -> associating
Dec 19 23:57:06 desktop kernel: [ 110.829841] wlan0: RX AssocResp from 00:19:cb:58:f6:b9 (capab=0x411 status=0 aid=3)
Dec 19 23:57:06 desktop wpa_supplicant[1348]: wlan0: Associated with 00:19:cb:58:f6:b9
Dec 19 23:57:06 desktop kernel: [ 110.836913] wlan0: associated
Dec 19 23:57:06 desktop kernel: [ 110.836925] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Dec 19 23:57:06 desktop NetworkManager[935]: <info> (wlan0): supplicant interface state: associating -> associated
Dec 19 23:57:07 desktop avahi-daemon[944]: Joining mDNS multicast group on interface wlan0.IPv6 with address fe80::f27d:68ff:fe15:5756.
Dec 19 23:57:07 desktop avahi-daemon[944]: New relevant interface wlan0.IPv6 for mDNS.
Dec 19 23:57:07 desktop avahi-daemon[944]: Registering new address record for fe80::f27d:68ff:fe15:5756 on wlan0.*.
Dec 19 23:57:11 desktop wpa_supplicant[1348]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:19:cb:58:f6:b9 reason=4
Dec 19 23:57:11 desktop kernel: [ 115.755373] cfg80211: Calling CRDA to update world regulatory domain
Dec 19 23:57:11 desktop kernel: [ 115.758863] cfg80211: World regulatory domain updated:
Dec 19 23:57:11 desktop kernel: [ 115.758867] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
Dec 19 23:57:11 desktop kernel: [ 115.758869] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Dec 19 23:57:11 desktop kernel: [ 115.758872] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Dec 19 23:57:11 desktop kernel: [ 115.758874] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
Dec 19 23:57:11 desktop kernel: [ 115.758876] cfg80211: (5170000 KHz - 52500...

Read more...

confirmed on 13.10. cannot connect to school eduroam network without certificate. really annoying!

When setting up a wireless connection with PEAP and MSCHAPv2, but without CA cert, nm-applet puts system-ca-certs=true to it's config file, regardless that I choose no CA certificate, and click on Ignore. It worked correctly a half year ago.
This ubuntu bug seems the same: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1104476

Changed in gentoo:
importance: Unknown → High
status: Unknown → New
Changed in gentoo:
importance: High → Medium
2 comments hidden view all 145 comments

+*nm-applet-0.9.8.8-r1 (10 Jan 2014)
+
+ 10 Jan 2014; Pacho Ramos <email address hidden>
+ +files/nm-applet-0.9.8.8-revert-ca-certificates.patch,
+ +nm-applet-0.9.8.8-r1.ebuild,
+ -files/nm-applet-0.9.6.4-systray-icon-size.patch,
+ -files/nm-applet-0.9.8.4-autostart.patch, -nm-applet-0.9.6.4-r1.ebuild,
+ -nm-applet-0.9.8.2.ebuild, -nm-applet-0.9.8.4.ebuild:
+ Revert 'libnm-gtk: default to system CA certificates for validation for new
+ connections', bug #497296 by mateakos. Drop old.
+

1 comments hidden view all 145 comments

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

When connecting to WPA2/PEAP/MSCHAPv2 wifi networks which do not have a CA Certificate Network Manager may incorrectly mark the CA certificate as needing verification and fail that verification.

Reproducible: Always

Steps to Reproduce:
1. Attempt to connect to WPA2/PEAP/MSCHAPv2 wifi network which does not have a CA Certificate.
Actual Results:
The line system-ca-certs=true is erroneously added to the relevant Network Manager config file and connection fails.

Expected Results:
Connection to network should occur despite the lack of a CA Certificate (as many educational/business enterprise networks don't provide them).

See also https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1104476

Changed in network-manager (openSUSE):
importance: Unknown → High
status: Unknown → Confirmed
Changed in gentoo:
status: New → Fix Released
1 comments hidden view all 145 comments
Yongjin Cho (yongjin.cho) wrote :

Is this bug really fixed?
I'm using Ubuntu 13.10 and I still cannot connect to my company network which is WPA2 enterprise PEAP without CA certificate.

Dmitry Maruschenko (yojick) wrote :

It has been fixed almost anywhere except ubuntu. For ubuntu it's triaged =(

Blaster (holst-niels) wrote :

@Dmitry Maruschenko (yojick) #130

Yes, it's pretty irritating. It's not really a bug in network manager though, it's "just" a glitch in the GUI.

Here's how to make it work:

1) Select a totally random certificate from /usr/share/ca-certificates/mozilla
2) Try to connect . you'll not succeed, but don't worry.
3) This WILL create a connection file in /etc/NetworkManager/system-connections
4) The name of the connection file (a text file) will be the name of the desired wifi network SSID
5) You need to edit that file as root. Do this in a terminal (ctrl-alt-t): gksu nautilus /etc/NetworkManager/system-connections
6) Select the file (the name of the SSID) you just created
7) In this file there will be two lines you need to remove. One will state the requirement of a certificate the other will point to the bogus-certificate you used in step 1). Remove both lines.
8) Be sure that the line "identity=" contains BOTH your domain and username, as in identity=DOMAIN\USER (replace DOMAIN and USE with your actual domain name and user-logon)

Congrats, if you did the above correct you're now connected.

I totally agree that it's a joke that this isn't fixed yet. The "fix" posted by Pritam Baral (pritambaral) in #108 does NOT work anymore. It did however work when he posted it, but for 32 bit users it somehow created a connection file with "identity=DOMAIN\\USER" Notice the extra "\". Follow the steps from 5) to fix this. This is not criticism of Pritam Baral. He did a valid effort to try to fix it, but it's hilarious that this GUI-glitch wasn't fixed a long time ago.

Jan Hauke Maase (h-maase+dev) wrote :

Thank you, Blaster!

I was able to connect to my university WIFI. But after a bit of a use I experience some kind of disconnect. My wifi keeps connected, but I'm not able ping anything or connect to the internet / local LAN. Only a reconnect to the wifi fixes this, but not for long. Tested on:
.Ubuntu 13.10
.Ubuntu 12.04.3 LTS
.openSUSE 13.1

On both HP and Lenovo Notebooks.

Have anybody had the same problem?

Blaster (holst-niels) wrote :

@Jan Hauke Maase (h-maase+dev)

I'm glad it worked for you (I knew it would). The ridiculous thing about this is that probably 50% of the users and developers following this knows exactly how to fix it, but no suggested fix is accepted.

If you was able to connect, you're no longer affected by this bug. My guess is that what you're now experiencing is a WIFI-driver bug, and my best guess is that your WIFI card is a Broadcom. You could try the following (NOTE: this is NOT related to this bug)

1) enable the proprietary Broadcom driver
2) (lol-option) disable 1) and opt for kernel support might work
3) Upgrade kernel. You might want to try kernel 3.13. That fixed it for me.

Try this at YOUR OWN RISK:

cd /tmp
wget http://goo.gl/x4JYAz -O kernel-3.13
chmod +x kernel-3.13
sudo sh kernel-3.13
sudo reboot

The above is NOT related to the bug described in this thread, and I will not provide further advise here!

Pritam Baral (pritambaral) wrote :

@Blaster (holst-neils) #131

My patch has nothing to do with DOMAIN logins. In fact, it has nothing to do with anything other that precisely "sys-ca-cert".
It is, however, outdated (I don't use Ubuntu myself). I haven't updated it since I posted it, and it is possible that a newer edition of NM itself might have caused the DOMAIN issue you speak of.

Also, it IS a bug in NetworkManager itself. sys-ca-certs should never even exist. That is not how 802.1x is done. It is not a replica of the https model. Refer: https://bugzilla.gnome.org/show_bug.cgi?id=702608#c17

My patch doesn't touch NM simply because NM is larger than nm-applet. I only added the gui option of sys-ca-certs because it was easier.

Blaster (holst-niels) wrote :

Pritam Baral (pritambaral) #134

You're right, but somehow, down the line, I thought your fix produced the double " \", but it's most certainly not your fault. Just checked, and it's definitely a bug introduced by a Network Manager "update" and not by your fix. Sorry.

You're probably the only person in this unnecessary thread, that I respect for actually trying to fix the problem. Actually, you DID fix the problem for a while.

For now, the only work-around is #131

Peace, man.

bfrancom@gmail.com (bfrancom) wrote :

I've had this problem for a long time on Debian Wheezy up to the past several releases of Ubuntu. Even running mainline kernels don't seem to fix. Currently on Ubuntu 13.10 3.14.0-031400rc1-generic
Today, I finally got some stability by adding/modifying the line to: system-ca-certs=false AND then changing the rights to read only on the connection.
 chmod -w <ssid>
Not sure how long this will work, but it's survived several suspends/connects/disconnects much better than before.

John Small (jds340) wrote :

Still not fixed. I can connect to my company WPA2/PEAP/MSCHAPv2 network which is configured without CA_Certificate.

I can get a connection from my Ipad, Mac, Android phone, Kindle (and Google Glass but that's some else's). But I cannot connect from Ubuntu 13.10 with all the latest patches.

When is this ever going to be recognized as something that needs fixing?

12.x was Ok, 13.x has been broken since release. There seems to be a coder in charge of this that thinks not having a certificate means you shouldn't be allowed to connect. But lots of companies set things up to not use a certificate.

Please fix it.

Have you tried the following workaround? Assume the ssid of you network is called "mynetwork":

sudo gedit /etc/NetworkManager/system-connections/mynetwork

eliminate a line that says:
system-ca-certs=true

Substitute "mynetwork" by the name of your wifi network.

Albert Pool (albertpool) wrote :

In upstream Gnome the bug has been fixed with commit: https://git.gnome.org/browse/network-manager-applet/commit/?id=c798c40c5dce3bc6d9b615621cefe59660b5a504

The Gnome bug report also includes some comments by Stefan Winter from Eduroam (the wifi network of many universities including mine), describing why this needs to be changed. Ubuntu developers please take a look at this comment by him: https://bugzilla.gnome.org/show_bug.cgi?id=702608#c17

spaceriker (spaceriker) wrote :

This is still broken in:
---
Distributor ID: Ubuntu
Description: Ubuntu 13.10
Release: 13.10
Codename: saucy
---

Note that this is a 64bit version, so I'm guessing that the 64bit version of network-manager did not get this fix?

spaceriker (spaceriker) wrote :

FWIW, turning system-ca-certs=false fixed it.

Kai Blin (kai.blin) wrote :

Still broken in 14.04, workaround works fine.

Albert Pool (albertpool) wrote :

Indeed, the upstream fix did not reach debian/ubuntu yet. Even Sid does not have it yet, so I guess we'll need to be patient, until 14.10 or something like that.
I did, however, bring this to the attention of the Linux Mint developers. Should Mint provide a fixed network-manager-gnome package, it could be made available for download for Ubuntu users too.

SOLVED

sudo gedit /etc/NetworkManager/system-connections/#WIFI-NETWORK#

Substitue #WIFI-NETWORK# with your config file name

Comment (add an # before) or erase the following line:
system-ca-certs=true

Save the file and it just work. If you made any changes using network manager you must repeat this procedure.

frank (dallco) wrote :

@ Esteban this problem is not solved! Posting a workaround does not solve the bug.

The line system-ca-certs=true is stil added to /etc/NetworkManager/system-connections/#WIFI-NETWORK# despite the fact I choose ignore certificate in the dialog. (daily live 5-4-2014)

Displaying first 40 and last 40 comments. View all 145 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.