Network manager cannot connect to WPA2/PEAP/MSCHAPv2 enterprise wifi networks without CA_Certificate, like Eduroam

Status changed to 'Confirmed' because the bug affects multiple users.

I have the same problem. I can not connect to wifi network (WPA and WPA2 Enterprise PEAP, MSCHAPv2 +username/password)
The network manager doesn't accept my password. On last week, it worked well. (2013. 03.15.)

The certificate authority is missing. You may want to add it to the configuration in NetworkManager to point to a CA certificate that can be provided to you by your network administrator:

Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxxx'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxx' err='unable to get local issuer certificate'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan 24 21:28:22 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I've noticed this too happening with self-signed certificates in universities. The alternative is to edit the connection file in /etc/NetworkManager/system-connections to remove "system-ca-certs=true".

but why only since 13.04 if it worked fine so far. anyway, I have found something here, it should be the certificate, but I haven't got round to try it myself: http://www.lan.kth.se/eduroam/AddTrust_External_CA_Root.pem does it work for you, hepaly?

Hi Zsolt, This problem affects me, when i try to connect to my office network. We never used certificate authority. The wifi network allows the connection, when I use a specific hostname, and username/password. Ubuntu 12.10 is working well. On last week, the wifi connection was OK on ubuntu 13.04.

I got a certificate file (*.crt) from IT, and the connection is working well (with this cert. file). It is interesting, because the 12.10 works without this file.

if it doesn't change, this could mean a serious move-away from ubuntu,
cause I instapped ubuntu to many of my friemds juat because they were
unaboe to connect to eduroam in windows! don't underestimate this, I would
mark this of a very high importanace, being a dev...
On Mar 19, 2013 2:02 PM, "hepaly" <email address hidden> wrote:

> I got a certificate file (*.crt) from IT, and the connection is working
> well (with this cert. file). It is interesting, because the 12.10 works
> without this file.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to Eduroam (worldwide WiFi network for
> university students)
>
> Status in “network-manager” package in Ubuntu:
> Invalid
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE ...

Hi Hepaly,
what kind of certificate did you use? googling around I found (here, for example https://admin.kuleuven.be/icts/english/wifi/eduroam-ubuntu) that with the

/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

should work but instead it does not work for me.

alfredo

Here are some screenshots about this issue:
I can connect to office network without using CA certificate file (ubuntu 12.10 live cd):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu12.10_wpa2E.png

Ubuntu 13.04 daily build doesn't accept my password. (using same settings, as ubuntu 12.10):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E.png

But if I use the CA certificate file, what I got from IT guys, then the password validation is OK, and it connects to wifi network.
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E_ok_with_crt.png

Actually it works well using with CA certificate file, but why does the 12.10 work without this file? Is it bug or feature? :)

I'm marking this again as new, cause the definition of invalid says that it should be a support request which it is not, because canonical cannot provide support to solve it.

most people don't know what a CA certificate is, so you can't leave it this way, cause they will say, that ubuntu just cannot connect and they are moving back to windows... you have to consider what normal people will think about this.

I've tried all sorts of certificates in the last few days (searching on google people say to use different types of them) but I couldn't make this work. Moreover the Eduroam site says to leave the certificate field empty. I can connect with my telephone with no problems so I'm sure the problem is not related to my account. I'll check if it works with an older ubuntu version asap.

I have tries with different certificates (cause my school haven't issued
one) and it didn't work. currently there's no way for us to connect to
eduroam in 13.04.
On Mar 25, 2013 10:50 AM, "Alfredo Buttari" <email address hidden>
wrote:

> I've tried all sorts of certificates in the last few days (searching on
> google people say to use different types of them) but I couldn't make
> this work. Moreover the Eduroam site says to leave the certificate field
> empty. I can connect with my telephone with no problems so I'm sure the
> problem is not related to my account. I'll check if it works with an
> older ubuntu version asap.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to Eduroam (worldwide WiFi network for
> university students)
>
> Status in “network-manager” package in Ubuntu:
> New
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan...

Status changed to 'Confirmed' because the bug affects multiple users.

Also unable to connect, works well in any Ubuntu version except for 13.04.

Hi! i have same bug. The problem occurs only in 13.04.

I have the same problem.
Very bad.

My college, the b.i.b International College Bergisch Gladbach (www.bg.bib.de) is affected!

In 12.04 it worked perfectly!

If this bug does not get fixed, a whole industry is affected.

This bug has to be critical!

Sry, I just want to note that removing "system-ca-certs=true" from /etc/NetworkManager/system-connections solved the problem for me!

Remove the line that I marked (line 20) , to fix it

This is an example of my NetworkManager profile.

This file is saved under /etc/NetworkManager/system-connections/

with connecting to the wireless point at my college. (www.bg.bib.de)

So it seems the problem is system-ca-certs=true is being added despite Eduard cancelling the request for the cert.

I had no possibilty of testing these days. any progress, guys?
On Apr 9, 2013 11:30 AM, "Brendan Donegan" <email address hidden>
wrote:

> So it seems the problem is system-ca-certs=true is being added despite
> Eduard cancelling the request for the cert.
>
> ** Changed in: network-manager (Ubuntu)
> Importance: Undecided => High
>
> ** Changed in: network-manager (Ubuntu)
> Status: Confirmed => Triaged
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/f...

I can confirm that even though I choose ignore on the CA Cert dialog, the line "system-ca-certs=true" was added to system-connections. It works find after I set that to false.

Hey, my laptop can't even find eduroam or setup-wifi to even attempt connecting since upgrading to 13.04. How can I go about fixing this?

upgrading is not good. try to fire up a usb image and try if it it can
connect in the live mode. the problem is probably with the upgrade. but
first try to connect to a hidden network.
On Apr 17, 2013 5:45 AM, "Ryan Yates" <email address hidden> wrote:

> Hey, my laptop can't even find eduroam or setup-wifi to even attempt
> connecting since upgrading to 13.04. How can I go about fixing this?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/freedesktop/NetworkManager/Dev...

Ryan: Just read the log on this page...

I am affected too.
Lets hope that on Monday its already fixed! :P

well i just tried 13.04 on a live-usb and this issue is still there:(
cannot connect to peap without CA, line "system-ca-certs=true" is stil added despite choosing no CA

I believe this may be a GNOME problem. When I try it under Kubuntu and KDE, I can connect fine; while in GNOME, I cannot connect to my university (University of Missouri) wifi network.

Confirming that this is a really serious issue.

PEAP connection, MSCHAPv2, no certificate but with a username & password, I *cannot* connect to the network. Previous versions of Ubuntu work fine. Indeed, my credentials on another machine running 12.10 work just fine.

I can confirm this issue on a Lenovo T510, PEAP, MSCHAPv2, no cert. Switching to LEAP seems to hold fine. Removing system-ca-certs=true did not stabilize my connection at all. I am able to get connected, but drops every few minutes and sometimes will not connect at all.

Hey Guys, this problem is quite serious!! Excitement in the morning after the upgrade on home wifi then complete dissapointment after 2hrs+ attempting to patch it :(
 Tried just about all that was posted here and was unsuccessful. eduroam and other enterprise wpa networks just don't work anymore. Please supply a quick fix...

Confirmed "system-ca-certs=true" is stil added despite choosing no CA and choosing ignore along with do not warn me again on the popup.

this is the 1. ubuntu release I didn't install right after it came out.
guess why.

and by the way the workarond by Eduard Gotwig from comment #19 sadly
doesn't work here either. the line is always re-added. please explain us
better how u did it cause more people have reported here that it doesn't
work.

Workaround of removing "system-ca-certs=true" only works temporarily. Next time NetworkManager touches the profile, the line reappears in the profile.

How i got it working:

1. Download the AddTrust External CA Root (Base64 format) available here: http://iss.leeds.ac.uk/helpdesk/eduroam-certificates
2. Double click it and import using Gnome2 Key Storage (require sudo privileges).
3. Go to Network connections (right click con the wi-fi logo on the top right of the screen) and Add a new connection.
4. Name the new connection "eduroam"and have the SSID also "eduroam"
5. Under Wi-fi security choose "WPA 2 enterprise", Authentication: "Proteacted EAP (PEAP)", CA Certificate browse the file you downladed on step 1.
6. Username have your COMPLETE email (include @schoolname.something).
7.include your password.
Save it.
Good luck

Same problem here. And 13.04 really is the first Ubuntu where this doesn't work. And sure it IS critical!
If this is not fixed, Ubuntu will prove useless for most education (students/profs) and business users. And the bug is still unassigned since January?! Come on!

I just can't believe that the swirl direction of the BFB icon was a more important bug than this one... In terms that it was promptly addressed, unlike this one.

I just wanted to say that comment #19 of removing "system-ca-certs=true" from /etc/NetworkManager/system-connections also worked for me. Actually, what I did was set the statement to false. When I re-started the connection, it worked on the next try.

I also did a sudo chmod -w NUwave after the first time it connected, so that should avoid the statement from reappearing since now the file is read-only. Given the connection name, I'm at Northeastern University, which uses WPA2/PEAP/MSCHAP as well.

From /var/log/syslog upon successful authentication:

May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:21:52 wpa_supplicant[1434]: last message repeated 2 times
May 2 13:21:52 Faraday wpa_supplicant[1434]: EAP-MSCHAPV2: Authentication succeeded

Before the statement was switched to false, syslog showed statements like:

May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:02:59 wpa_supplicant[1483]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu' err='unable to get local issuer certificate'
May 2 13:02:59 wpa_supplicant[1483]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
May 2 13:02:59 wpa_supplicant[1483]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
May 2 13:03:00 wpa_supplicant[1483]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:e7:7b:51 reason=6

Before I had tried this, I had attempted to use the certificate that Windows 7 associated with the same NUwave wireless connection, but I was still unsuccessful at authenticating even with that. The odd thing is that a few weeks back when I tested with an Ubuntu 13.04 Beta 2 USB stick it worked fine, but stopped working at some point, and I re-tested with the USB stick today and it still failed, so at that point I knew it wasn't anything package related and stumbled across this bug and solution which fixed it! :)

The workaround works for me, too. Even without making the file read-only. I connected at my faculty's library in the early afternoon today. But I still think this is a critical issue, that could turn people away from Ubuntu.

It's very interesting what vacalola said about the old unchanged live image working once, and then not... Yet, the fact remains that this works completely fine in both 12.04 and 12.10, and just in 13.04 not.

I give up... this has just got me switching to another Linux distro! Spent the whole week trying to rebuild my machine just cos of this issue... One year + of Ubuntu Love now to it's brother... Which I should state that wpa-enterprise works at time of writing that is!

see? that's what I was talking about earlier.

don't u realize that u are destroying what u have been building all those 9
years?

u shouldn't have rolled out the new ubuntu with this.
On May 4, 2013 6:11 PM, "Fei" <email address hidden> wrote:

> I give up... this has just got me switching to another Linux distro!
> Spent the whole week trying to rebuild my machine just cos of this
> issue... One year + of Ubuntu Love now to it's brother... Which I should
> state that wpa-enterprise works at time of writing that is!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Confirmed
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE ...

I've got the same bug. Editing the conf file jsut bring me random deconnection each minutes. Please fix this, I'm using Ubuntu for my studies ;)
(ps: sorry for bad english)

...and still unassigned. :-/

ubuntu's gonna be the new "OFFLINE OS" :))) that't the right way to
penetrate the mobile market, isn't it?
On May 6, 2013 1:11 AM, "Franko Burolo" <email address hidden> wrote:

> ...and still unassigned. :-/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Confirmed
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-PATH
> wlan0 802-11-wireless connected
> /org/freedesktop/NetworkManager/Devices/1
> eth0 802-3-ethernet unavailable
> /org/freedesktop/NetworkManager/Devices/0
> nmcli-nm:
> RUNNING VERSION STATE NET-ENABLED WIFI-HARDWARE
> ...

I had the same problem, and comment [#4][https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1104476/comments/4] in this thread worked for me!

So, we know that Network Manager should eihter remove that line or set it on false automatically, but it doesn't. We know it probably happens only in Gnome, though. See comment #29. I guess Kubuntu uses Network Manager too, but I might be wrong. No devs at all interested into investigating this, really?

Maybe they are trying to induce us to learn programming and fix it ourselves. :-D

Hmm, I do not understand this. I'm using Eduroam with Raring and have not seen this problem. Maybe it is different since I have upgraded? I see that I have "system-ca-certs=true" setup for the connection.

Anyway, I have pointed to the certificate file: "ca-cert=/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem". Why can't you do that too? The connection and password is then much safer, so that you know that the network is the right one and not a fake copy.

You are not seeing this problem because you ARE using CA certificate. When you don't have one Network Manager should ignore it and connect anyway, if you tell him so, which doesn't happen without manually editig a config file to force it to do so.

Now, it IS true that using a cert is safer, but my faculty doesn't even provide one. The network we use there is not Eduroam (though we have that too, for guests), but a local one. A year or so ago, I wrote them about this, they told me that it wasn't necessary, and that they don't have plans to provide it in the future. So I was thinking "Oh, well, whatever. As long as I can connect." And from the comments above, I see that my faculty is not the only one. So this is still of high importance, if not critical.

...because most people will just follow their faculty's/company's IT team instructions, and those don't always provide any CA certificate.

u are absolutely right, fanko, my faculty doesn't provide a cert either and
I can confirm that people always follow the faculty's instructions. we have
a nice step by step tutorial for each OS and I also used when I set up
eduroam for the 1st time.

this bug is critical.
On May 6, 2013 5:15 PM, "Franko Burolo" <email address hidden> wrote:

> ...because most people will just follow their faculty's/company's IT
> team instructions, and those don't always provide any CA certificate.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Confirmed
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/0
> nmcli-dev:
> DEVICE TYPE STATE DBUS-...

Removing the system-ca-cert=true line also worked in my configuration. I didn't notice this being an issue post upgrade because the configuration in the NetworkManager was working. I had to update my configuration in the NetworkManager because of a password rotation and this caused the system-ca-cert=true to be added to the file even though I answered Ignore to the dialog prompt. Upon finding this bug through google I removed the line from the /etc/NetworkManager/system-connections/<essid> file and my wireless connection started to work again.

After all removing System-cs-cert=true from the file solved the problem.

Regards :P

Yeh, in a regular support forum, this would be marked as [solved]... But this is a bug report, and is still unassigned, since January! :-/

I can confirm this "problem"

When I rotated server certs on our NPS'es from the CA in the PKI env.
The networkmanager messed with the file and the connection stopped working.

On our NPS radius server

Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.

So it seems that even if I ignore the CA warning it sends some information of CA's to the NPS.
I haven't had the time to debug it further. But when editing the suggested line things started working again.

--
Regards Falk

earlier the workaround with removing the ominous line didn't work for me,
so I tried to set it to false as carl davis suggested in comment #23 and
and it works. it looks like this method should work for anyone. it somehow
removes the line anyway.
Sry, I just want to note that removing "system-ca-certs=true" from
/etc/NetworkManager/system-connections solved the problem for me!

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1104476

Title:
  Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
  CA_Certificate

Status in “network-manager” package in Ubuntu:
  Confirmed

Bug description:
  I can connect to Eduroam in 12.10 and any other previous release, but
  not in 13.04. I checked, my name and password are correct, all
  settings are the same as in 12.10.

  Network properties:

  security: WPA - WPA2 enterprise
  authentication: protected EAP (PEAP)
  CA certificate: none
  PEAP version: automatic
  inner autentication: MSCHAPv2
  username: (required)
  password: (required)

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
  ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
  Uname: Linux 3.8.0-1-generic i686
  ApportVersion: 2.8-0ubuntu2
  Architecture: i386
  CasperVersion: 1.330
  Date: Thu Jan 24 21:32:25 2013
  IfupdownConfig:
   # interfaces(5) file used by ifup(8) and ifdown(8)
   auto lo
   iface lo inet loopback
  IpRoute:
   default via 192.168.43.1 dev wlan0 proto static
   169.254.0.0/16 dev wlan0 scope link metric 1000
   192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.149
 metric 9
  LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
  MarkForUpload: True
  NetworkManager.state:
   [main]
   NetworkingEnabled=true
   WirelessEnabled=true
   WWANEnabled=true
   WimaxEnabled=true
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: network-manager
  UpgradeStatus: No upgrade log present (probably fresh install)
  nmcli-con:
   NAME UUID TYPE
           TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
READONLY DBUS-PATH
   AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
    no /org/freedesktop/NetworkManager/Settings/2
   Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
    no /org/freedesktop/NetworkManager/Settings/1
   eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
    no /org/freedesktop/NetworkManager/Settings/0
  nmcli-dev:
   DEVICE TYPE STATE DBUS-PATH
   wlan0 802-11-wireless connected
/org/freedesktop/NetworkManager/Devices/1
   eth0 802-3-ethernet unavailable
/org/freedesktop/NetworkManager/Devices/0
  nmcli-nm:
   RUNNING VERSION STATE NET-ENABLED ...

Ok, but this is just a workaround, not a fix... :-/

I connected to eduroam using a Raring live cd without selecting a CA. Maybe the system ca setting means that it tries your system CA certificates? In that case this bug only applies to certificates used that are not in your system, e.g. self signed ones.

I don't follow you... We are not having problems with certain certificates, but with connecting without one. So this bug applies only to a no-certificate situation. Read up the description again, please.

In that case I assume the option you remove tries system CAs instead and fails if a ccertificate chain to one is not found.

Maybe... Could you look into it and take this assignment, please? I see you have already been active in Network Manager bug fixing. :-)

I can confirm the method in comment #23 works for me at UNIVPM (Ancona - Italy) with Ubuntu 13.04 Raring 64bit.

This is what I have done:
1) Connect to Eduroam using Networrk Manager inserting name, password and ignoring the certificate request. The connection fails, but the associated network profile appears in "/etc/NetworkManager/system-connections/eduroam"
2) Turn off WI-Fi
3) Open the terminal and edit the network profile with "sudo nano /etc/NetworkManager/system-connections/eduroam"
4) Change the line "system-ca-certs=true" to "system-ca-certs=false"
5) Turn on Wi-Fi
6) Connect to Eduroam using Network-Manager as usual

Looking ad the network profile I have seen that the line "system-ca-certs=false" was removed, therefore I think that also the method in comment #19 works, but it did not for me.

Just OT.
Yes, the workaround fixes the issue.

OT: Troubles came from the day when Network Manager was invented.
It has never been reliable and - as we can see in every day experience - it has never been tested properly.
My favorite method for network configuration is the one used in Red Hat 5.

Hello every body. I am also victim of such problem. Due to this wifi problem i am unable to use ubuntu. I started hating ubuntu. I can not connect to eduroam. It connects and after sometime it disconnects again after few seconds. and it keep going on like connecting then disconnecting. When i restart my laptop it ask for password and usernam again and authentication is required. what is this? please help me.

Ok now we found both the bug and the workaround. When the fix is supposed to be moved upstream?

None of the following workarounds work for me:
1. remove "system-ca-certs=true" from /etc/NetworkManager/system-connections
2. change "system-ca-certs=true" into "system-ca-certs=false"
3. add a certificate, namely /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

What did work was to boot with kernel 3.5 instead of 3.8.

Dear friends... I have same problem, I did test with live cd Ubuntu 12.08 and it worked smooth, but when I return to 13.04 I got the same problem. Only we have to wait the fix for this bug.. thanks for share your experiences.

Yeh, but if nobody takes this assignment, will it ever be fixed?

It could be also a kernel problem, as rgrig points out. Anyone tried wicd or another distro with same kernel version?

I have been hitting exactly what has been described on Arch (3.9 kernel, nm-applet 0.9.8.0), and the workaround of removing the ca-cert line in the config file works (permanently) for me. On Arch the permissions on the config files are 600, and removing that line seems to permanently address the problem.

Looks very much like a problem in nm-applet, which writes an incorrect config for ca-cert when password is set to save.

I can concur with rgrig that under Kubuntu 13.04 booting with a 3.5 kernel rather than a 3.8 kernel solved the issue for me.

Also, as with rgrig, the other workarounds didn't work for the 3.8 kernel.

Hello,
I've the same problem.
None of the following workarounds work for me:
1. change "system-ca-certs=true" from /etc/NetworkManager/system-connections to "system-ca-certs=false"
2. chattr +i /etc/NetworkManager/system-connections/

Ubuntu 13.04 kernel 3.8.0-23

I've installed some mainline kernels to check and again the problem is resolved and I can connect without problem.

The two kernels I've checked are:
3.9.0-030900-generic
3.10.0-999-generic

I've not tried wicd as I couldn't get it to install on my laptop.

I'm affected too.

13.04 + eduroam (WPA2/PEAP/MSCHAPv2/self signed certificate)

The workaround, as pointed by #19 and #23 : suppress the "system-ca-cert=true" (or make it false) from the network-manager profile.

That's works.

Seems that the «Ignore» button when cert alert is displayed was just.....ignored....

just installed gnome3 desktop on top of linux mint 15.

Saw the error 20 and remembered I was bugged by that before. Edouards posting in #20 solves error 20 - :)

remove the certs...=true line. I DID press Ignore in the "oops no CA cert selected" box

network-manager 0.9.8.0-0ubuntu6 from linuxmint/ubuntu and ppa.launchpad.net/gnome3-team/ repos

Comment #72 worked better for me than just removing the file.

I created the network connection, then edited it to show false for system-ca-cert

Please.. somebody could post the entire configuration where appears
"certs...=true"

where "system-ca-cert" is located.
Thanks

Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=702608

I find it rather strange this is still unassigned, seems to me no network access is a major issue

the "system-ca-cert" is located at /etc/NetworkManager/system-connections/ and there you edit the file that have your wi-fi name

@carc: It seems like they don't care much about non-LTS releases anymore... Reporting serious bugs for them is becoming ever more useless. :-/

Setting 'system-ca-cert=false' works fine. If you can't connect, then you could be banned in your network. I could connect after they reset ban list, so take it under consideration.

Anyway looks like bug is just about setting system-ca-cert=false when adding network.

Cheers,
Leszek

Thank you very much Eduard Gotwin, more than one month I could not connect to the wifi at work.
As you said I deleted the line
system-ca-certs=true
and I could connect again at all my wpa2 enterprise WIFI network.
This bug is very critical as it touches enterprise wifi network, it should be corrected as soon as possible.

I wish there was no workaround for this big otherwise it would have been
solved long ago. But if there's a workaround, Canonical thinks there is no
need to work out the solution... obviously
On Aug 1, 2013 2:01 PM, "Le Gluon Du Net" <email address hidden> wrote:

> Thank you very much Eduard Gotwin, more than one month I could not connect
> to the wifi at work.
> As you said I deleted the line
> system-ca-certs=true
> and I could connect again at all my wpa2 enterprise WIFI network.
> This bug is very critical as it touches enterprise wifi network, it should
> be corrected as soon as possible.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in “network-manager” package in Ubuntu:
> Confirmed
>
> Bug description:
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> 192.168.43.0/24 dev wlan0 proto kernel scope link src
> 192.168.43.149 metric 9
> LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130123)
> MarkForUpload: True
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager
> UpgradeStatus: No upgrade log present (probably fresh install)
> nmcli-con:
> NAME UUID TYPE
> TIMESTAMP TIMESTAMP-REAL AUTOCONNECT
> READONLY DBUS-PATH
> AndroidAP 978da457-563b-4c59-a894-45eb0f74fcb7
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/2
> Wired connection 1 6703fabc-9519-49bd-a4af-45fbfb7d660e
> 802-3-ethernet 1359062570 Thu 24 Jan 2013 09:22:50 PM UTC yes
> no /org/freedesktop/NetworkManager/Settings/1
> eduroam 00f69a95-4a1b-436c-b462-a284f45fbaa1
> 802-11-wireless 1359063171 Thu 24 Jan 2013 09:32:51 PM UTC yes
> no...

Now we have a workaround but at each computer restart, you have to use the workaround again.
Because at each restart Network-Manager add the line "system-ca-certs=true" again...
Very annoying bug and very improductive at work.

Disagree. In my case (fresh & updated 13.04 64-bit) I don't see configuration file changes on reboot.
I may expect it to be modified if you remove your current Wi-Fi connections from known ones in NetworkManager and then will try to connect to it again - this indeed will create a new config file in "/etc/NetworkManager/system-connections/" that will have "system-ca-certs=true".

Another note from my side - even though as I mentioned above I see configuration file stays on reboot but I cannot get my password saved. So EVERY REBOOT I have to enter my Wi-Fi password manually. Which is a bit more than inconvenient especially keeping in mind that this is a LAPTOP and I toggle its power at least twice a day when traveling to the office and back.
I'm wondering if others see the same experience or there's something I didn't do properly (I do set a checkbox "remeber my password" every time I enter password).

I have a similar problem, all wireless networks (public and home) work on my current version of Ubuntu (13.04).

I've just started university and the people at IT refused to look at my linux dist and set me up in Windows7 instead. They claimed enterprise (WPA/WPA2) wasn't for Linux!! They made a weak attempt to set up in my Ubuntu OS (13.04).

When I try to set up my network from Network and wireless settings the connect button is greyed out and there are no security settings from the drop down menu so the workaround here isn't even applicable yet. In any case this will deter many a new Ubuntu user from such wireless networks.

This needs some work to be fixed -- there's an upstream bug, but it seems like the actual behavior might be slightly different. Perhaps when no cert is selected and the ignore button is pressed the settings should just be set to =false.

Finally assigned! :-)
I hope this will be solved soon, now.

@alexey-brodkin: I experienced the same, but only on WPA2 Enterprise networks. Every time I had to reenter the password when connecting to my faculty's network. WPA Personal and WEP were working fine. Not sure about it, but you could be right, the password bug could be coming from the same source as the bug reported here...

Wow, 7 months to get a bug that breaks wifi for many corporate/enterprise users assigned... :s
Try explaining that to management ...

For some reason this bug has worsened. Previously i could work around the issue by deleting the line that says 'system-ca-certs=true' but this stopped working because it would erase the password i've set for the user.

I'm now completely unable to connect to my corprate network, please fix this soon!

This has hit me, too.

Removing "system-ca-certs=true" manually from /etc/NetworkManager/system-connections worked like a charm.

Stupid regression. This invalidates ubuntu in a corporate environment. Fix this please.

Cheers,
Michael

I confirm, I can't connect to my school network, and so, i can't use ubuntu to code.

I confirmed this is an issue for me as well. Worked fine in Ubuntu 12, Ubuntu 13 fails to connect to any WPA security.

This line does NOT exist for me in /etc/NetworkManager/system-connections/<SSID>

"system-ca-certs=true"

Adding the line with "false" also does NOT resolve this issue for me.

"system-ca-certs=false"

So far I can only connect to networks which are not using WPA personal/enterprise.

Please fix this bug.

I just want to add for those trying 'random' certificates - if your school can't/won't supply you the proper certificate there is little point trying random other certificates - they WON'T WORK.
 That's the whole point of certificates in the first place, to verify the authenticity of the session. If it worked with random other certificates, there wouldn't be a whole lot of point would there.

Removing the system-ca-certs line and restarting network-manager worked for me, pending finding out how to get my schools certificate.

There was an update for Network Manager a few days ago. It looked like that resolved the issue for me, however unfortunately I was mistaken.

My situation:

Running Xubuntu 12.04.3 LTS
[user] = my username
Trying to connect to university wifi with the same authentication - WPA2/PEAP/MSCHAPv2
I have the certificate file provided by the university located at ~/[user]/.cacerts.pem
I have it currently set to hidden. I don't believe that is the problem since I was affected by the issue when it was not hidden as well.
I added system-ca-certs=false line to the connection file in /etc/NetworkManager/system-connections
I also made sure the connection file has the line 'ca-cert=/home/[user]/.cacerts.pem'

1. Do you think changing that line to 'ca-cert=~/[user].cacerts.pem'? Would that do anything?
2. Also, I just realized I haven't checked whether setting it to un-hidden would change anything after the recent Network Manager update. I might try that at some point.

Next time it occurs, I'll try to pull up the log file. Need to figure out how to do that first.

Hello,

on Ubuntu raring 13.04, I installed this unstrusted Networkmanager PPA:

https://launchpad.net/~mathieu-tl/+archive/nm

then I edit all your Wifi connection in /etc/NetworkManager/system-connections/ and replace "system-ca-certs=true" by "system-ca-certs=false" and all my WPA2 enterprise work again.

The bug is still present on saucy (system-ca-certs=true by default, even if you choose not.
I filed a bug on bugzilla: https://bugzilla.gnome.org/show_bug.cgi?id=707921

True story.
I had this problem, existed in ubuntu 13.04.
And now exists too in ubuntu 13.10, what a hell are this guys doing?

The good thing is.. the workaround is the same.
Changing the system-ca-certs=true to system-ca-certs=false or erasing the line solve the problem...

Use the terminal to acess the etc/NetworkManager/system-connections.
Perform a "Sudo nano eduroam" and edit the file, save with ctrl + O and voilá.

Hope this help for most of the people
Regards

Hi,

I had also this problem in Ubuntu 13.04 with NetworkManager version 0.9.8.0.
I can confirm that changing the line "system-ca-certs=true" by "system-ca-certs=false" inside my wifi config's file (/etc/NetworkManager/system-connections/) work for me!

I have the same issue, and is fixed the same way. However it always asks me for my wpa enterprise password at the login screen before I start my session. If I just ignore it and login it connects to the ap.

I have a notebook running Xubuntu 13.10. Same problem. I didn't have a "system-ca-certs=false" entry in my config file, but after go through everything I could think of as well, what I did do was change my wireless security from WPA2 Mixed (TKIP / AES) to straight WPA2 AES. I can now connect.

Eduroam also just stopped working for me. I heard local admins "reconfigured wifi network", and now when I connect, I get "self-signed certificate" errors.

To solve this, I had to replace the old local certificate (LITNET_CA.crt for me) to the AddTrustExternalCARoot.crt.

And I'm not even on Ubuntu. I use ArchLinux.

Same thing happened to me. I had to manually edit the file and remove the line "system-ca-certs=true"

One sane solution would be to let the user choose whether to use the system CA certs or not. KDE's network manager applet already does this.

I have a patch ready that adds this functionality. For package network-manager-applet. Tested working on ArchLinux, but there are no changes in Ubuntu's 9.8.0 and Arch's 9.8.4 among the parts of code that this patch touches.

My university is in the process of testing out 802.1x for wired networks, but this bug is a major bottleneck right now as many people here use Ubuntu 13.04.

The attachment "Lets user choose whether to use system CA certs or not." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

My WPA2/PEAP network doesn't work anymore with NetworkManager0.9.8.0-0ubuntu6 on 13.04 . Last week, it still worked and I haven't changed any network settings. I've done an update, though.

If I remove the connection and add it again, Network-Manager adds
system-ca-certs=true
to the configuration file, which is wrong.

Before, it worked after I removed

system-ca-certs=true and
auth-alg=open

but now this doesn't help anymore.

Same thing, happened when "upgrading" to 13.04 after using 12.10 flawlessly. Corporate network.

The system-ca-certs=false trick does not work. NetworkManager keeps updating the file in /etc/NetworkManager/system-connections/, even though I set R-only access -- it will change it back to RW access.

Colleagues can connect to wifi with their Android phones, I cannot with Ubuntu: it just looks incompetent... Arrrgh, i'll have to move back to Windows...

This is what the log shows.

PPA announce!
https://launchpad.net/~pritambaral/+archive/nms

Considering the time it has taken, and may take, for the devs to review/accept the patch and/or release a fix, I have been driven to release a personal package archive. This was inevitable for me persoannly, since my Uni is about to launch a campus wide EAPOL and

It builds on the standard Ubuntu raring package. Saucy will be added in a few hours.

@All affected users: feel free to use it

@32-bit users: build will finish in a few minutes.

Chhatoi, thanks for sharing.
First thing this morning I did install your update, which clearly shows the check box "system CA certificates"; unfortunately it still failed authentication:

NetworkManager[6785]: <info> (eth3): supplicant interface state: associating -> associated
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure Certificate Authority'
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure Certificate Authority'
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='(... skipping info that seems proper to my business...)'
wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Hope others have more luck, maybe I'm just dealing with the wrong issue.

Henri, you are indeed facing a different issue. Most likely incorrect
credentials.

When system-ca-certs is on, wpa_supplicant complains of a self-signed
certificate and stops right there. With a proper corresponding mesage of
course. And this one definitely isn't that.

I have seen this whenever I put in the wrong credentials.

Regards,
Chhatoi Pritam Baral
On Oct 24, 2013 2:21 AM, "Henri Souchay" <email address hidden> wrote:

> Chhatoi, thanks for sharing.
> First thing this morning I did install your update, which clearly shows
> the check box "system CA certificates"; unfortunately it still failed
> authentication:
>
> NetworkManager[6785]: <info> (eth3): supplicant interface state:
> associating -> associated
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0
> method=25
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25
> (PEAP) selected
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1
> subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure
> Certificate Authority'
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=1
> subject='/C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure
> Certificate Authority'
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='(...
> skipping info that seems proper to my business...)'
> wpa_supplicant[919]: eth3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
>
> Hope others have more luck, maybe I'm just dealing with the wrong issue.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104476
>
> Title:
> Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
> CA_Certificate
>
> Status in NetworkManager:
> New
> Status in Release Notes for Ubuntu:
> Fix Released
> Status in “network-manager” package in Ubuntu:
> Triaged
>
> Bug description:
> === Release Notes Text ===
>
> When connecting to MPA2/PEAP/MSCHAPv2 wifi networks which do not have
> a CA Certificate network manager may incorrectly mark the CA
> certificate as needing verification and fail that verification. See
> the bug for workarounds.
>
> ===
>
> I can connect to Eduroam in 12.10 and any other previous release, but
> not in 13.04. I checked, my name and password are correct, all
> settings are the same as in 12.10.
>
> Network properties:
>
> security: WPA - WPA2 enterprise
> authentication: protected EAP (PEAP)
> CA certificate: none
> PEAP version: automatic
> inner autentication: MSCHAPv2
> username: (required)
> password: (required)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 13.04
> Package: network-manager 0.9.6.0+git201301021750.e78c3e8-0ubuntu3
> ProcVersionSignature: Ubuntu 3.8.0-1.5-generic 3.8.0-rc4
> Uname: Linux 3.8.0-1-generic i686
> ApportVersion: 2.8-0ubuntu2
> Architecture: i386
> CasperVersion: 1.330
> Date: Thu Jan 24 21:32:25 2013
> IfupdownConfig:
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
> IpRoute:
> default via 192.168.43.1 dev wlan0 proto static
> 169.254.0.0/16 dev wlan0 scope link metric 1000
> ...

@Chhatoi Pritam Baral
Thanks for building a fix for this issue, I know I appreciate it. I do have a question though. I can't seem to get the package through apt-get. I put the ppa into my repositories, but when I do sudo apt-get install network-manager-applet it can't find it (am I using the wrong package name?) I feel so close to finally being able to getting wifi working that it really sucks not to be able to get the package.

@Austin DeWolfe
Try using:

sudo apt-get update
sudo apt-get upgrade

should update the packages affected

>
> sudo apt-get update
> sudo apt-get upgrade
>
> should update the packages affected

Yup, that should do it!
But for people looking to upgrade this single package only, and not their
whole system, or others like Austin, the package name is:

network-manager-gnome

Odd. I know. Caught me off-guard when I first set out too.

This problem still persists to this day. Setting system-ca-certs=false does not work, you have to comment it out or remove it. There needs to be an option in network manager UI to allow users to disable the requirement on system-ca-cert and it should be included in the dialogue that prompts you for a ca along with the "Don't remind me again" or "ignore this" (e.g. setting it to ignore should unset or remove that line from the connection configuration.

@Ben: You can use the PPA I posted which does exactly that. An option in
the UI that is disabled by default.

@Ubuntu devs: Upstream is debating turning system-ca-certs off completely.
Basically, reverting the commit which started this debacle without any
regard to end-user usability. There are some very good discussions,
including from people deploying 802.1X in the field, on why system-ca-certs
is completely useless.

Added the PPA specified by @pritambaral in saucy.
When running apt-get update, it complains that it doesn't find
https://launchpad.net/~pritambaral/+archive/nms/dists/saucy/main/binary-amd64/Packages

Any chance to get the gnome network manager update for 64b Saucy from there ?
Or from somewhere else ?

Thanks.

Forget my last comment, if you use the ppa: link, it works much better:
ppa:pritambaral/nms

Thanks again for providing this much wanted patch.

This is actually a big problem for two reasons:

(1) The user does not get the correct feedback to the problem: Instead of a notice that the certificate not trusted, he/she is just asked again and again and again for the correct username and password.
(2) Encouraging people to trust in central certificates and not in self signed ones plays in the hands of NSA and everyone how depends on man-in-the-middle attacs. People should be encouraged to trust only in certificates they know are correct and be allowed to do so, instead of forcing them to only accept 'officially' signed certificates .

(still existing in ubuntu 13.10. , btw)

Is there something broken in Ubuntu's update process that a PPA had to be created (many thanks for that Pritam!) for this? I've just tried a fresh 13.10, it still has this problem, despite "Fix released". So what does "Fix released" mean? Released for the next version of Ubuntu? Would I have gotten the fix if I'd turned on "Proposed"?

So yeah - thanks again for the PPA. At least that works.

@Neil: Note that this bug is actually three bugs. More precisely, this is
tracking the status of the same bug in three different projects. And the
top one is gnome (upstream.) The most recent "Fix released" refers to
gnome. It takes a while for upstream changes to be reflected in a stable
distro (Ubuntu), especially if it has to be backported (since upstream is
usually a little ahead of stable).

Note that one of the projects is just "Release Notes".

I created the PPA because I realized Ubuntu did/would not consider this bug
to be important enough to warrant a feature-change in two stable releases.
I do not think that's wrong on their part, although I'm confident they'd
see the fix harmless (from a stability POV) if they notice it.

I think uploading packages to -proposed is only for Ubuntu maintainers.
Here's some more on that matter:
http://askubuntu.com/questions/49691/what-is-the-proposed-repository

Confirmed still unfixed on 13.10 ... WPA+EAP or Linux: pick one.

just coming in: Google found french office spying with CA signed intermediate certificate: https://code.google.com/p/chromium/issues/detail?id=326787 and http://www.heise.de/newsticker/meldung/Google-erwischt-franzoesische-Behoerde-beim-Schnueffeln-2062479.html

So please stop requesting CA signed certificates!

I'm having the same problem.

I do NOT have system-ca-certs in the NetworkManager connection file. I turned off power saving and ipv6. Still get

Dec 19 23:57:06 desktop kernel: [ 110.811108] wlan0: send auth to 00:19:cb:58:f6:b9 (try 1/3)
Dec 19 23:57:06 desktop kernel: [ 110.813360] wlan0: authenticated
Dec 19 23:57:06 desktop kernel: [ 110.813531] rt2800usb 2-1.5:1.0 wlan0: disabling HT as WMM/QoS is not supported by the AP
Dec 19 23:57:06 desktop kernel: [ 110.813536] rt2800usb 2-1.5:1.0 wlan0: disabling VHT as WMM/QoS is not supported by the AP
Dec 19 23:57:06 desktop kernel: [ 110.813718] wlan0: associate with 00:19:cb:58:f6:b9 (try 1/3)
Dec 19 23:57:06 desktop NetworkManager[935]: <info> (wlan0): supplicant interface state: authenticating -> associating
Dec 19 23:57:06 desktop kernel: [ 110.829841] wlan0: RX AssocResp from 00:19:cb:58:f6:b9 (capab=0x411 status=0 aid=3)
Dec 19 23:57:06 desktop wpa_supplicant[1348]: wlan0: Associated with 00:19:cb:58:f6:b9
Dec 19 23:57:06 desktop kernel: [ 110.836913] wlan0: associated
Dec 19 23:57:06 desktop kernel: [ 110.836925] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Dec 19 23:57:06 desktop NetworkManager[935]: <info> (wlan0): supplicant interface state: associating -> associated
Dec 19 23:57:07 desktop avahi-daemon[944]: Joining mDNS multicast group on interface wlan0.IPv6 with address fe80::f27d:68ff:fe15:5756.
Dec 19 23:57:07 desktop avahi-daemon[944]: New relevant interface wlan0.IPv6 for mDNS.
Dec 19 23:57:07 desktop avahi-daemon[944]: Registering new address record for fe80::f27d:68ff:fe15:5756 on wlan0.*.
Dec 19 23:57:11 desktop wpa_supplicant[1348]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:19:cb:58:f6:b9 reason=4
Dec 19 23:57:11 desktop kernel: [ 115.755373] cfg80211: Calling CRDA to update world regulatory domain
Dec 19 23:57:11 desktop kernel: [ 115.758863] cfg80211: World regulatory domain updated:
Dec 19 23:57:11 desktop kernel: [ 115.758867] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
Dec 19 23:57:11 desktop kernel: [ 115.758869] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Dec 19 23:57:11 desktop kernel: [ 115.758872] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Dec 19 23:57:11 desktop kernel: [ 115.758874] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
Dec 19 23:57:11 desktop kernel: [ 115.758876] cfg80211: (5170000 KHz - 52500...

confirmed on 13.10. cannot connect to school eduroam network without certificate. really annoying!

Is this bug really fixed?
I'm using Ubuntu 13.10 and I still cannot connect to my company network which is WPA2 enterprise PEAP without CA certificate.

It has been fixed almost anywhere except ubuntu. For ubuntu it's triaged =(

@Dmitry Maruschenko (yojick) #130

Yes, it's pretty irritating. It's not really a bug in network manager though, it's "just" a glitch in the GUI.

Here's how to make it work:

1) Select a totally random certificate from /usr/share/ca-certificates/mozilla
2) Try to connect . you'll not succeed, but don't worry.
3) This WILL create a connection file in /etc/NetworkManager/system-connections
4) The name of the connection file (a text file) will be the name of the desired wifi network SSID
5) You need to edit that file as root. Do this in a terminal (ctrl-alt-t): gksu nautilus /etc/NetworkManager/system-connections
6) Select the file (the name of the SSID) you just created
7) In this file there will be two lines you need to remove. One will state the requirement of a certificate the other will point to the bogus-certificate you used in step 1). Remove both lines.
8) Be sure that the line "identity=" contains BOTH your domain and username, as in identity=DOMAIN\USER (replace DOMAIN and USE with your actual domain name and user-logon)

Congrats, if you did the above correct you're now connected.

I totally agree that it's a joke that this isn't fixed yet. The "fix" posted by Pritam Baral (pritambaral) in #108 does NOT work anymore. It did however work when he posted it, but for 32 bit users it somehow created a connection file with "identity=DOMAIN\\USER" Notice the extra "\". Follow the steps from 5) to fix this. This is not criticism of Pritam Baral. He did a valid effort to try to fix it, but it's hilarious that this GUI-glitch wasn't fixed a long time ago.

Thank you, Blaster!

I was able to connect to my university WIFI. But after a bit of a use I experience some kind of disconnect. My wifi keeps connected, but I'm not able ping anything or connect to the internet / local LAN. Only a reconnect to the wifi fixes this, but not for long. Tested on:
.Ubuntu 13.10
.Ubuntu 12.04.3 LTS
.openSUSE 13.1

On both HP and Lenovo Notebooks.

Have anybody had the same problem?

@Jan Hauke Maase (h-maase+dev)

I'm glad it worked for you (I knew it would). The ridiculous thing about this is that probably 50% of the users and developers following this knows exactly how to fix it, but no suggested fix is accepted.

If you was able to connect, you're no longer affected by this bug. My guess is that what you're now experiencing is a WIFI-driver bug, and my best guess is that your WIFI card is a Broadcom. You could try the following (NOTE: this is NOT related to this bug)

1) enable the proprietary Broadcom driver
2) (lol-option) disable 1) and opt for kernel support might work
3) Upgrade kernel. You might want to try kernel 3.13. That fixed it for me.

Try this at YOUR OWN RISK:

cd /tmp
wget http://goo.gl/x4JYAz -O kernel-3.13
chmod +x kernel-3.13
sudo sh kernel-3.13
sudo reboot

The above is NOT related to the bug described in this thread, and I will not provide further advise here!

@Blaster (holst-neils) #131

My patch has nothing to do with DOMAIN logins. In fact, it has nothing to do with anything other that precisely "sys-ca-cert".
It is, however, outdated (I don't use Ubuntu myself). I haven't updated it since I posted it, and it is possible that a newer edition of NM itself might have caused the DOMAIN issue you speak of.

Also, it IS a bug in NetworkManager itself. sys-ca-certs should never even exist. That is not how 802.1x is done. It is not a replica of the https model. Refer: https://bugzilla.gnome.org/show_bug.cgi?id=702608#c17

My patch doesn't touch NM simply because NM is larger than nm-applet. I only added the gui option of sys-ca-certs because it was easier.

Pritam Baral (pritambaral) #134

You're right, but somehow, down the line, I thought your fix produced the double " \", but it's most certainly not your fault. Just checked, and it's definitely a bug introduced by a Network Manager "update" and not by your fix. Sorry.

You're probably the only person in this unnecessary thread, that I respect for actually trying to fix the problem. Actually, you DID fix the problem for a while.

For now, the only work-around is #131

Peace, man.

I've had this problem for a long time on Debian Wheezy up to the past several releases of Ubuntu. Even running mainline kernels don't seem to fix. Currently on Ubuntu 13.10 3.14.0-031400rc1-generic
Today, I finally got some stability by adding/modifying the line to: system-ca-certs=false AND then changing the rights to read only on the connection.
 chmod -w <ssid>
Not sure how long this will work, but it's survived several suspends/connects/disconnects much better than before.

Still not fixed. I can connect to my company WPA2/PEAP/MSCHAPv2 network which is configured without CA_Certificate.

I can get a connection from my Ipad, Mac, Android phone, Kindle (and Google Glass but that's some else's). But I cannot connect from Ubuntu 13.10 with all the latest patches.

When is this ever going to be recognized as something that needs fixing?

12.x was Ok, 13.x has been broken since release. There seems to be a coder in charge of this that thinks not having a certificate means you shouldn't be allowed to connect. But lots of companies set things up to not use a certificate.

Please fix it.

Have you tried the following workaround? Assume the ssid of you network is called "mynetwork":

sudo gedit /etc/NetworkManager/system-connections/mynetwork

eliminate a line that says:
system-ca-certs=true

Substitute "mynetwork" by the name of your wifi network.

In upstream Gnome the bug has been fixed with commit: https://git.gnome.org/browse/network-manager-applet/commit/?id=c798c40c5dce3bc6d9b615621cefe59660b5a504

The Gnome bug report also includes some comments by Stefan Winter from Eduroam (the wifi network of many universities including mine), describing why this needs to be changed. Ubuntu developers please take a look at this comment by him: https://bugzilla.gnome.org/show_bug.cgi?id=702608#c17

This is still broken in:
---
Distributor ID: Ubuntu
Description: Ubuntu 13.10
Release: 13.10
Codename: saucy
---

Note that this is a 64bit version, so I'm guessing that the 64bit version of network-manager did not get this fix?

FWIW, turning system-ca-certs=false fixed it.

Still broken in 14.04, workaround works fine.

Indeed, the upstream fix did not reach debian/ubuntu yet. Even Sid does not have it yet, so I guess we'll need to be patient, until 14.10 or something like that.
I did, however, bring this to the attention of the Linux Mint developers. Should Mint provide a fixed network-manager-gnome package, it could be made available for download for Ubuntu users too.

SOLVED

sudo gedit /etc/NetworkManager/system-connections/#WIFI-NETWORK#

Substitue #WIFI-NETWORK# with your config file name

Comment (add an # before) or erase the following line:
system-ca-certs=true

Save the file and it just work. If you made any changes using network manager you must repeat this procedure.

@ Esteban this problem is not solved! Posting a workaround does not solve the bug.

The line system-ca-certs=true is stil added to /etc/NetworkManager/system-connections/#WIFI-NETWORK# despite the fact I choose ignore certificate in the dialog. (daily live 5-4-2014)

This seems to be even worse in 14.04 as removing or changing the system-ca-certs= line no longer works.

I can make the office WPA2 connection work as I have access to the root certificate for it's key, but my Uni's Eduroam is now completely unusable as removing the system-ca-certs line no longer works and the institution will not give me the root certificate for the self signed key.

("We only support Mac/Windows via the supplied installers" was the response I got).

I took apart the Mac installer hoping to get the certificate, but as far as I can figure, what they supply for the mac is a script that turns off certificate checking in OSX :-)

It's all very well saying connecting with out verifying the certificate is insecure and shouldn't be allowed, but that just isn't a realistic approach.
 I ether have to connect with out certificate checking, or I can't use the service at all.

No of WA work in 14.04

== Poll ==

Why are people here not ensuring a secure connection by setting up certificates? That's the way TLS works.

@Peter Matulis: Are you serious? You may as well be asking "Why are people here not ensuring that the laws of Uganda are more sensible?" Uhm ... isn't it clear from above that a *huge* number of people don't have a choice? At least not a quick choice. Yes, eventually it will get done, but it's a slow battle.

@ Peter Matulis

Comment #17 at https://bugzilla.gnome.org/show_bug.cgi?id=702608#c17 clearly describes why it makes no sense to require choosing a certificate for WPA2 Enterprise wireless.

In my case I either have to use the connection with out the proper certificate or NOT USE IT AT ALL. The powers that set up our Eduroam refuse to distribute the certificate required. 'We support Windows and Mac only'.

The Windows installer uses some package that installs a new EAP module into Windows, and the OSX one appears to be a simple script that turns off certificate verification for the Eduroam SSID.

Yes, not using the certificate leaves me open to a man-in-the-middle attack, but institutional policy doesn't leave me any choice here.

I had the same issue on Ubuntu 14.04 and none of proposed workarounds helped.

The way I was able to solve it was by manually restarting NetworkManager:
1) open terminal
2) type in: sudo stop network-manager
3) type in: sudo NetworkManager
And that is it! Afterwards I was able to normally connect to WiFi even after restarting Ubuntu. Hope it helps and good luck!

P.S. If restarting didnt help, before that I was also unsuccessfully trying to kill NetworkManager by its PID (it relaunches automatically), maybe it had some impact. I cant really reproduce the bug because it disappeared after restarting NetworkManager.

@Victor Borovik

Did you do that in addition to the proposed workarounds? What you're proposing is no more than what happens on every restart.

For reference, the removal of the 'system-ca-certs=true' line followed by restarting the network manager (didn't try without a restart) worked fine for me.

In my case the workaround in comment #138 still works with Ubuntu 14.04.

@Sera

I tried all of proposed workarounds with and without Ubuntu restart with no effect.
After restarting NetworkManager manually ('system-ca-certs=true' line was present) it started working properly, so not only my not working connection came to live, but bug dissapeared. I am now able to delete connection and create it anew and it works straight away even after restarting Ubuntu.

I can also confirm that workaround in comment #138 works as well. I'm also on Ubuntu 14.04.

However, I am now prompted at login (of the OS) for the WiFi password on the PEAP network, but hitting cancel, then logging in seems to work fine. All other networks don't bother me with a pop-up at login.

Will this CA Certificate bug in Network Manager be fixed in 14.04, or is 14.10 the expection?

Hello.

I can confirm this Bug for Ubuntu GNOME 14.04 (Trusty) with network-manager 0.9.8.8-0ubuntu7.

Sorry I posted an incorrect link
this is, my workaraound for lubuntu 14.04 32bit on Acer Aspire One d150, others have not worked:

download: network-manager-gnome_0.9.4.1-0ubuntu2_i386.deb (network manager Lubuntu 12:04) from https://launchpad.net/ubuntu/precise/i386/network-manager-gnome/0.9.4.1-0ubuntu2
for safety dowload also Lubuntu-desktop_0.55_i386.deb (desktop settings Lubuntu 14:04) from https://launchpad.net/ubuntu/trusty/i386/lubuntu-desktop/0.55

sudo stop network-manager

sudo killall nm-applet

sudo apt-get remove network-manager-gnome
(also removes Lubuntu-desktop)

from dowload directory:

sudo dpkg -i network-manager-gnome_0.9.4.1-0ubuntu2_i386.deb
sudo dpkg -i Lubuntu-desktop_0.55_i386.deb

returns errors

sudo start network-manager

alt + f2 nm-applet

configure: right click on the network icon in systray
connect to WIFI, ignoring the certificate request

sudo apt-get-f install
(fixes the dependencies are not met due to the installation of the network manager 12:04 on 14:04)

sudo apt-get update && sudo apt-get upgrade

everything should be ok even after rebooting

I manage WiFi services for a University, including Eduroam. I just want to point out that this "issue" is not isolated self-signed certificate, but any certificate not signed directly by any of the 'pre-trusted' root/intermediate CAs. I wasn't actually aware that you are even 'allowed' to participate with Eduroam with a self-signed certificate?!?

I assume setting system-ca-certs to false the tells NetworkManager not to try and validate the certificate?? If that is the case, this would seem to be expected behaviour, rather than a bug, and may introduce a security risk (someone can potentially set up a bogus SSID with 'your' SSID name, using any certificate and then grab your credentials)

If you are joining a WiFi network with a self-signed certificate, you should be able to add the certificate itself to your trusted certificates. For networks with third-party signed certificates (Thawte, VeriSign etc) you should add the CA certificates (root, intermediate etc) to your list of trusted CAs.

I confirm this bug on Ubuntu 14.04 with recent updates. The workarounds in #152, #153 don't work for me.

Also, removing the line "system-ca-certs=true" has no effect.

The system-ca-certs problem has been fixed in Linux Mint 17.

What may remain, though, is that the right authentication type such as TTLS or PEAP is not selected automatically. For me PEAP had to be chosen to connect to Eduroam; your institution should be able to tell which of these types you need (since for example Android also asks for this). But that is unrelated to this bug, if you know which type to use you can select it yourself in the network settings.

I doubt that https://git.gnome.org/browse/network-manager-applet/commit/?id=c798c40c5dce3bc6d9b615621cefe59660b5a504 fixes this bug. As I wrote in #161, removing the line "system-ca-certs=true"
has no effect. This all the patch does if no certificate is chosen.

I did choose the right authentication type (PEAP).

Note the comment in #144 - while removing the system-ca-certs=true line might work, any changes you make to the network connection in Network Manager thereafter will re-add the line!

So the current workflow for connecting to a PEAP WIFI network is currently:
1. Make the connection. It will fail, but it will create an entry in /etc/NetworkManager/system-connections.
2. Edit that connection as root, remove the system-ca-certs=true line.
3. Never make any changes to that connection again.

One more small note - changing the line to read system-ca-certs=false causes the line to disappear when you save the file. I have no idea what is changing the file on write, but you can basically write the change and immediately cat the file, but instead of a line that says system-ca-certs=false, the line has vanished completely. Perhaps NetworkManager tracks the connection files in realtime, or some upstart job is submitting the changes? I don't know. I just found it interesting that the correct behaviour is actually the default behaviour and that this version causing this bug is actively changing that default behaviour.

Linux Mint has implemented the upstream fix for system-ca-certs in their repository packages which can be found at http://packages.linuxmint.com/pool/upstream/n/network-manager-applet/

You can install these DEBs on Ubuntu 14.04 too (since Linux Mint 17 is based on Ubuntu 14.04), then remove the connection and add it again; system-ca-certs will not appear then if you click ignore when you're asked to choose a certificate.

With Mint 17 I am able to connect to Eduroam out-of-the-box, I just have to choose PEAP as authentication method and enter my details.

This can be fixed in backporting a commit; I'll upload a fixed package to utopic shortly, then we can look into a SRU for the change.

Saucy will be EOL in about a month; unless somebody says otherwise, I think I'd rather spend the time to provide the fix in the other releases that are still supported -- people still on 13.10 should consider upgrading to 14.04 as soon as possible, which should generally be a good idea for all the other bug fixes that would come with it.

If it's really needed, I can provide packages in a PPA, but for now I'll just close the Saucy / 13.10 task as Won't Fix.

Other releases will still get the updates when they are tested.

This bug was fixed in the package network-manager-applet - 0.9.8.8-0ubuntu7

---------------
network-manager-applet (0.9.8.8-0ubuntu7) utopic; urgency=medium

  * debian/patches/git_revert_system_ca_cert.patch: don't require system CA
    certs to validate the wireless AP certs if the user chooses not to supply
    a certificate. (LP: #1104476)
 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 11 Jun 2014 15:29:36 -0400

This bug still affects me with current updates.
I had to change /etc/NetworkManager/system-connections/network-ssid
the line system-ca-cert=true
to system-ca-cert=false
Then restart the network and it works.

Yes, this fix will not change connections that have already been created, it will only not set system-ca-cert for new connections.

This bug appeared in Raring, Precise is not affected by it.

Hi All:

Same bug in 14.04 .Is a headache the network manager with this type of authentication!!

My organization dont use a cert to authenticate to the network, use password, so, is a big problem to connect!

Br

Felix

Eduroam works for me with Ubuntu 14.04 as of today if I use the installer provided by Eduroam. Your institution should provide a link to this installer, which retrieves and stores the appropriate CA-certs and creates an entry for network-manager.

Hello zsolt.ruszinyák, or anyone else affected,

Accepted network-manager-applet into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/network-manager-applet/0.9.8.8-0ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Status changed to 'Confirmed' because the bug affects multiple users.

Version 0.9.8.8-0ubuntu4.3 in trusty-proposed works here.

This bug was fixed in the package network-manager-applet - 0.9.8.8-0ubuntu4.3

---------------
network-manager-applet (0.9.8.8-0ubuntu4.3) trusty-proposed; urgency=medium

  * debian/patches/git_revert_system_ca_cert.patch: don't require system CA
    certs to validate the wireless AP certs if the user chooses not to supply
    a certificate. (LP: #1104476)
 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 07 Jul 2014 11:11:52 -0400

The verification of the Stable Release Update for network-manager-applet has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Downloaded latest gnome-network-manager update from repository on Ubuntu 14.04 64bit - I am now able to connect with a CA Certificate :-) - issue appears to be resolved on Ubuntu 14.04

Except that this bug report is about the impossibility to connect WITHOUT a CA certificate...

My apologies for the typo, I meant "without" - so the corrected version:

Downloaded latest gnome-network-manager update from repository on Ubuntu 14.04 64bit - I am now able to connect without a CA Certificate :-) - issue appears to be resolved on Ubuntu 14.04

Update:
I am being prompted for the WiFi password on the network without the CA Certificate every time I power on the computer, but once I enter the password it connects. This behavior only occurs on boot up; recovering from suspend has no issues.

Once again, my apologies for the typo on post #179 :-\

Hi All,

I have installed Ubuntu 14.04 in my system recently on Oct 7th. I still have this problem to connect to my University network.

I have tried the work around mentioned in the thread to remove system-ca-cert=true from the my connection SSID. But, I could not even find that line. I even restarted the Network Manager several times.

Please help !!

Thanks,
Aravind

Aravind,

That line is already deleted if you add the connection with the latest updates to NetworkManager installed.

If you're still having trouble, probably the wrong authentication type is set in the wifi security settings. Default is TTLS, but at least my university (Utrecht University, NL) needs PEAP here for its Eduroam network. The inner authentication is MSCHAPv2 but I think that was right by default.
Settings may be different at your university but I think it's certainly worth giving it a try.
When you are asked for the certificate, choose to ignore it (unless you know which one to specify).

Future questions about this are better asked on a forum instead. This is a closed bug.

@Aang (aang-aero)

I managed to get rid of the password prompt by adding the password in the [802-1x] section of the connection file:

in the /etc/NetworkManager/system-connections/YOURSSID

Edit the section:
[802-1x]
eap=peap;
identity=YOURUSERNAME
phase2-auth=mschapv2
password=YOURPASSWORDUNENCRYPTED