Acs in ha with certificate eap expired

Hi my name is Ivan, I have a question:
I have two cisco acs version 5.4 servers in HA primary and replica 802.1x providing services for users and computers, integrated corporate Active Directory. servers have a certificate to authenticate users and comptadoras by PEAP MSCHPv2. This certificate installed on the acs server has expired. The certificate is obtained by performing the request from the acs server and download it with a CA microsoft server.
As I can do to re-install the certificate, since the units are in HA, 802.1x and provide the services again?
Thanks for your answers.
Regards.
Ivan.

Hi Ivan,
Here are the steps:
To replace the certificate in both server it is better to make each server a stand alone
unit. In other words breaking the cluster.
To break the cluster you can go under distributed deployment and select from primary
server your secondary unit and first you need to deregister and then you need to delete
it.
This will restart services in the secondary server and this may take around 5 minutes.
Once the server is back you can start the process in each server of requesting a new
certificate from VeriSign.
To do so:
Create a new certificate signing request in each server.
Export the CSR to your CA.
Install the new certificate receive from your CA under local certificates (here select
that you want to use this certificate for EAP authentication)
Delete the old certificate use for EAP once you are sure that EAP is working fine for
your clients with the new certificate.
Join both servers as primary/secondary unit under the distributed deployment section
for your secondary unit.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

Similar Messages

Clients connect to wifi with certificate that expires every month - correct way to handle expired certificates?

Hi all
I'm sorry if this is the wrong forum to ask this question. Also my knowledge in this area is somewhat limited, which I why I need your help :-)
We use wireless networks primarily in my company for all our clients and use a certificate to authenticate to the network. This certificate expires after 1 month and we automatically renew them 1 week before expiry. Relatively often we have users that
are not connected to the network for a few weeks or more and then the certificate expires before being renewed. Then we have to connect them to the wired network to get the certificate updated, so they can connect to the wireless network again.
What is the correct approach to solve this issue? We feel extending the life of the certificate would be a too big security compromise. Is there some way you could automatically allow an expired certificate briefly with the sole purpose of renewing the certificate?
Or how would you normally resolve this issue?
Thanks for any help/knowledge you can provide :-)

> Setting the validity period that high, means that the certificate could be cracked before expiry.
then you should be scary of CAs which validity is 10 or more years. And they use the same cryptography as end-entity certificates (key length and signature algorithms). It is a paranoya. Just make sure if client certificates use at least 2048 bit long
keys and use SHA1 (or better) signature algorithm. In this case there is a little chance that certificate will be successfully cracked in 2 years.
If there is an evidence (or indications) of client private key compromise -- immediately revoke the certificate and publish new CRL ASAP. You cannot protect clients from key compromise by using short-living certificates, because key compromise is ususally
achieved by gaining a control over the private key (malware on client computer). Therefore, there is nothing wrong in issuing client certificates with 1 or 2 year validity.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

802.1x wireless authentication with certificates

Hi.
I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it with:
"12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
the ACS is the same, the certificate the same, and the root ca is the same.
what's hapenning????
Antero Vasconcelos

What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
~BR
Jatin Katyal
**Do rate helpful posts**

Problem with ACS 4.1 using certificate

I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
The switch's port were configured as follows:
aaa new-model
aaa authentication dot1x default group radius+
dot1x system-auth-control
interface GigabitEthernet1/0/4
switchport mode access
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication
radius-server host (ip address) auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key password
What am I doing wrong or there is something left???

1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
Regards
Farrukh

ACS 5.3 WLC Certificates RADUIS Active Directory

Hi,
I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
I have setup ACS to connect to AD.
I have added the local certificate with my company's CA
acs.blah.com
acs.blah.com
SubCA3-1
09:50 28.09.2012
09:50 28.09.2018
EAP, Management Interface
I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
Authentication Summary
Logged At:
October 2,2012 3:06:37.996 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
blah\Eddy
MAC/IP Address:
18-3d-a2-26-7f-b9
Network Device:
L39-WC-5508-01 : 10.49.2.150 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
Wireless AD
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
any help would be great happy to send screen shots of my setup.
Cheers
Eddy

Hi Guys,
Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
Logged At:
October 12,2012 2:50:17.866 PM
RADIUS Status:
Authentication failed : 15039 Selected Authorization Profile is DenyAccess
NAS Failure:
Username:
blah\eddy
MAC/IP Address:
00-21-6a-07-31-88
Network Device:
-WC-5508-01 : 10.10.2.10 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
DenyAccess
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24101 Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
24420 User's Attributes retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
Evaluating Group Mapping Policy
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
any ideas guys?
thanks for the help.

ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

Hi All,
I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
Thanks,
Rob

Hello,
Did you find a guide for EAP-FAST with AD ?
I'm facing the same problem, I can't make EAP-FAST working with AD Account,
Thanks to you
Regards,
Gérald

Integration problem between Cisco Seure ACS 4.2 with LDAP

Hi expert,
I have a problem with the integration between Cisco Secure ACS 4.2 with SUN Java System Directory (LDAP). During the integration, I noticed that user failed to authenticate against LDAP via Cisco Secure ACS. The error message is "Authentication Type is not supported by external DB". In this case the "external DB" refer to LDAP. Anyone of you having an experience on integration on both product before? Can any of you give me some pointers about this. Attached are both screen capture on my ACS server.
Thanks very much,
Daniel

Hi,
Thanks for the compatibility chart. Oh dear ..., it seems that the LDAP does not supports PEAP (EAP-MS CHAPv2) at all. Am not sure if the latest LDAP (particularly for SUN Java System Directory) able to support this authentication protocol.
Just to clarify with you all just in case if you wonder what I'm trying to do; our company wants to implement 802.1x over the network. So, every staff on the network must authenticated before able to access the network resources. Our Linksys switches supports this standard including Cisco switches of course. Our RADIUS server is Cisco Secure ACS 4.2 but all those users information including username and passwords are stored in our directory server (LDAP) which is SUN Java System Directory.
Since most of our staff machines are running on XP and Vista, the only available authentication method (beside certificate based) is PEAP (EAP-MSCHAPv2). Based on the compatibility chart, the generic LDAP does not supports this authentication protocol as what we noted the "authentication type not supported by external database" error message in the ACS logs.
From what I learned that the latest LDAP (version 3.0?) able to support this authentication protocol, but yet to be confirmed on my further research.
So... Anyone can advice me on this matter? Thanks very much !

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

ACS 4.2 with patch 4 Services restart

I have installed ACS 4.2 with patch 4
Scertain period after authentication failed. Giving internal error. I need to restart all the services. What could be proble and pl help me in resolving this issue. I am running short of time.

Internal Error is very generic in error. I hope that you had your Logging set to Full, if not then you wont be able to see the exact reason in the debug logs.
You might want to check,
\CSAuth\Logs
And check the debug log when you got the internal error for a particular authentication attempt.
Also, what kind of authentication was failing ? Was it PEAP/EAP-FAST with inner method as MSCHAP machine authentication, then it could be something related to,
CSCsq96755 : ACS needs manual restart to recover machine authentication
Then go for Patch 5 for ACSv4.2
Regards,
Prem
Please rate if it helps!

Apple Push Notification Service Certificate will expire in 30 days

I am receiving mails regarding "Apple Push Notification Service Certificate will expire in 30 days",
i dont know what to do at this time, where to verify this one, i know renew of iOS developer program but i don't have any idea about this Push Notification Service Certificate please help my out,

Greetings Prem garigapati,
I understand you are receiving a message regarding an expiring certificate. Are you using a version of OS X Server on your computer? This article has additional information which may be helpful:
OS X Server: How to renew expired push certificates - Apple Support
If the certificate you use with the Apple Push Notification service (APNs) has expired, you can renew it using OS X Server.
Use these steps to renew any push notification certificates that have expired:
Open the OS X Server app.
Select your server in the Server app sidebar, then click Settings.
Click the Edit button next to the “Enable Apple push notifications” option.
Enter your organization's Apple ID in the sheet that appears, then click Renew to renew the expired certificate.
Deselect (uncheck) the “Enable Apple push notifications” option.
Select (check) the “Enable Apple push notifications” option.
Thank you for contributing to Apple Support Communities.
Best,
Bobby_D

The Server's SSL certificate has expired

Hi,
Today morning I accessed my mails with out any problems. After some time suddenly my outlook was disconnected and getting the message "The Server's SSL certificate has expired".Can any one help me out of this?
Thanks,
Prasad K

Check if you have accidentally set your system date not to current.
Edited by: user10788046 on Oct 22, 2010 8:16 PM

Wlc 2100 with local eap auth

Hello
I have set up an wlc 2125 with local eap auth which I think is working fine for now.
But I dont want it come up a certificate warning when user log in.
Can I stop this from happening without bying a certificate?
Can I turn of https all together?
Trond

Thank you Trond,
So here we are talking about web authentication, which does not use local EAP, so not sure whether the local EAP profile is really being triggered for that.
Clients are being prompted with a WLC's self-signed certificate, more or less in the same way as they would be if they tried to login to the WLC via HTTPS.
Similarly, the fastest way would be to install this certificate on the user's machine, so that it can trust it from that moment on.
Or you can generate a certificate signing request for the WLC, submit it to a root CA/buy a root CA signed server certificate (with the root CA trusted by the clients) and then install this certificate on the WLC:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
For web authentication, there is no way to switch to HTTP for the WLC's certificate validation.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

After updating SSL Certificate, iCal is saying the certificate has expired.

Having a problam with iCal after updating our SSL certificate. The certificate expired recently so we renewed it with godaddy and followed the steps on their site to update it on our server. Everything seemed to have gone fine, under server admin in the certificates section it shows the certificate is valid through 2015 and I have Mail and iCal both set to use that certificate (it is the only one you can select.). E-mail works fine but when you connect with iCal it says there is a problem with the certificate. When I click details it shows the certificate has expired and shows the esperation date of the old certificate. I have tried to delete and import the new certificate again but still have the same issue. It seems that some how iCal is still holding the old certificate. Does anyone know what is going on? Did I make a mistake somewhere?

Hi,
According to your post, I understand that client face an problem “The linked image cannot be displayed. The file may have been moved, renamed, or deleted. Verify that the link points to the correct file and location” after change SSL certificate.
If I misunderstand your concern, please do not hesitate to let me know.
Do you see the "page cannot be displayed" error only from your DC server or also from a Windows 7 client machine? What browser do you use and what version?
Please run “certutil –store” command from a command to verify that the certificate is correctly installed in the certificate store. Also run “certutil -store my” to check the certificate from CA.
If the certificate is already installed, please refer to below link to check the value of Cache in registry:
https://support.microsoft.com/en-us/kb/2753594
Thanks
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Allen Wang
TechNet Community Support

Outlook 2013 Clients certificate has expired warning or not yet valid

Hello,
We had been through a migration from exchange 2010 to 2013 in the last year but have had an ongoing issue with
some Outlook clients getting a certificate warning after they launch the client. Not all Outlook clients experience this. We've just recently uninstalled exchange from our 2010 servers and shut them
down. What we have left are two 2013 servers in a DAG. The certificate these Outlook clients are complaining about had expired in 2012. Here is the warning they are getting:
"Certificate has expired warning or not yet valid"
I've been through numerous threads/sites regarding this error but it always ends up that there was an expired cert hanging out somewhere. I cannot seem to find an expired cert anywhere...
I've ran the 'Get-ExchangeCertificate | fl' cmdlet and I see 7 certs listed, none of which match the thumbprint on the Cert Warning on Outlook.
When I check the registry of the Exchange servers here: HKLM>Software>Microsoft>SystemCertificates>My>Certificates
I can see 7 certificate entries listed there and the thumbprint matches those of the cmdlet ran from
EMS.
OWA shows the correct cert expiring in 2015 and Outlook clients are pointed to the 2013 servers. We do have a load balancer that AutoDiscover, OWA, SMTP are going through.
It seems like some of these Outlook clients are still looking at the decommissioned 2010 Exchange servers' old certificate. Any ideas on how I can get outlook to point to the new certificate/server?
Thanks.
Rory
Rory Schmitz

Hi Rory,
If possible, could you please post the Get-ExchangeCertificate | FL results about the certificate which is assigned with IIS service here?
If the issue only happens for some users instead of all users, please create a new Outlook profile for the problematic user to check whether the issue persists. Please make sure the certificate name which is reported as expired or not valid is included
in the IIS service certificate in your Exchange 2013.
In Exchange server side, please restart IIS service by running IISReset /noforce from a command prompt window to have a try.
Regards,
Winnie Liang
TechNet Community Support

Issues with certificates with both Firefox and chromium

I tried everything ... I reinstalled both of them.
I canceled the profile and made new ones.
I check with all my other computer if they have issues with certificates: no problem at all.
Checked the date, is ok.
Finally I checked what is installed on the system related to the problem ..
# pacman -Q|egrep '(openssl|curl|ca-cert)'
ca-certificates 20140325-1
ca-certificates-java 20140324-3
curl 7.37.1-1
lib32-curl 7.37.1-1
lib32-openssl 1.0.1.i-1
openssl 1.0.1.i-1
python2-pyopenssl 0.14-3
or if there is an issued with a library ..
# ldd `which curl`
linux-vdso.so.1 (0x00007fffd2a48000)
libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f8a1c4d9000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007f8a1c2c3000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f8a1c0a5000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f8a1bcf7000)
libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f8a1bace000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f8a1b860000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f8a1b44e000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f8a1b203000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f8a1af22000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f8a1acf0000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f8a1aaec000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8a1c747000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f8a1a8e8000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f8a1a6db000)
libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007f8a1a4d7000)
libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f8a1a2c0000)
I try to use a virtual machine on the same machine with ubuntu installed: no problem.
Any idea?
Last edited by saronno (2014-08-15 12:37:44)

# curl -v https://areaclienti187.telecomitalia.it
* Rebuilt URL to: https://areaclienti187.telecomitalia.it/
* Hostname was NOT found in DNS cache
* Trying 62.77.57.164...
* Connected to areaclienti187.telecomitalia.it (62.77.57.164) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES128-SHA
* Server certificate:
* subject: C=IT; ST=Italy; L=Pomezia; O=Telecomitalia; OU=ADM.AP.PM.WO; CN=areaclienti187.telecomitalia.it; emailAddress=[email protected]
* start date: 2013-10-08 10:06:37 GMT
* expire date: 2014-10-08 10:06:37 GMT
* common name: areaclienti187.telecomitalia.it (matched)
* issuer: C=IT; O=I.T. Telecom; OU=Servizi di certificazione; CN=I.T. Telecom Global CA
* SSL certificate verify ok.
With curl no problem at all.
Last edited by saronno (2014-08-15 19:10:09)

Acs in ha with certificate eap expired

Similar Messages

Maybe you are looking for