Certificate verification failed, error 19 (self signed certificate in certificate chain)

Jouni Malinen j
Sun Apr 1 02:29:10 PDT 2012

On Mon, Mar 12, 2012 at 03:40:09PM +0000, Michael Zintakis wrote:
> Initially - when a client tries to connect for the first time - this 
> works without any glitches and the client is authenticated first time. 
> After exactly 60 minutes, however, the wpa_supplicant tries to 
> "re-negotiate" the connection for some reason and I get the above error, 
> after which the client is briefly disconnected!
> When wpa_supplicant tries to re-authenticate again approximately 30 
> seconds after the above disconnection, the authentication succeeds 
> (using the same certificate/credentials which were rejected 
> previously!). Judging by the wpa_supplicant logs, a "handshake" is made 
> approximately every 10 minutes and this always succeeds.

That sounds quite strange.. Would it be possible to get a detailed debug
log (-ddt on wpa_supplicant command line) showing this?

> 2. I have "disabled" the "ca_cert" parameter in the wpa_supplicant.conf 
> file - then re-authentication works, but the CA certificate is 
> completely ignored (I have a subject match in my wpa_supplicant.conf 
> file and no matter what is put there, wpa_supplicant completely ignores 
> it when ca_cert parameter is disabled).

There is no point in validating subject match if you don't validate the
server certificate in the first place..

> As the ca_cert is a certificate from a certificate authority, I expect 
> the certificate chain to be 1 certificate deep, thus the certificate in 
> question is always self-signed. Why is the wpa_supplicant then 
> complaining, given also the fact that when it tries the same process 30 
> seconds later - it succeeds?! Have I missed something in my setup?

This should obviously not happen and it sounds like the authentication
server would be doing something very strange here.. Anyway, I would need
to see more debug information to see what exactly is the difference
between those two authentication attempts.

> Would it be possible to either a) fix the above error and stay connected 
> for longer than 60 minutes at a time; or b) extend this re-negotiation 
> time from 60 minutes to a bit longer than that so that the client does 
> not get disconnected every hour?

That time is configured on the AP and/or authentication server..
Depending on what the real issue is, it may or may not be possible to
fix it in wpa_supplicant.

> W/wpa_supplicant(  582): TLS: Certificate verification failed, error 19 
> (self signed certificate in certificate chain) depth 1 for 
> '/C=DE/ST=XX/L=XX/O=XX/emailAddress=XX/CN=XX'

This would indicate that the certificate used by the authentication
server was not trusted at this point.. It is strange if this changes
between the re-authentication and the following authentication after

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list