Recently, the Eduroam Wi-Fi access, courtesy of the University of Vienna of a device I administer, stopped working. At first I thought it was a temporary outage but after a few days, that theory went out the window, as connection establishment kept failing. A quick look at the /var/log/syslog revealed that the certificate check failed. But why and why now?
Fortunately, the Wi-Fi authentication client leaves ample information in the syslog:
[...] wpa_supplicant[1393]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 2 for '/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021'Previously, the university used a certificate by Digicert (DigiCert_Assured_ID_Root_CA.pem). Not so anymore. For some time now, Eduroam from the University of Vienna now requires to use the HARICA_TLS_RSA_Root_CA_2021.pem. Both can be found in the Linux /etc/ssl/certs folder.
Four things really annoy me about this:
First, I didn’t get a notice of the change. Might be my mistake.
Second, the official configuration description of the University of Vienna recommends to disable certificate checking. Sure, why not, security is not important, just get grabbed by rouge Eduroam access point and be happy. Simplicity trumps security.
Third: In case you really insist on security, the official instructions point to a certificate file that should be used. Too bad that the instructions point to a wrong or outdated certificate. Also, the HARICA cert is part of the official SSL distribution of Ubuntu, so no copy/paste of a cert file is required.
And the final thing that bugs me about this is that the official documentation does not mention that the suffix check should be configured, as otherwise a rouge access point can just send any kind of certificate.
Security and data privacy looks different… Anyway, I’ve updated my own description of how to configure Eduroam for the University of Vienna on Ubuntu here.