Certificate @ capsman 7.13.1

padlock · January 14, 2024, 10:51am

Hi all
I’ve stucked by strange cert behavior of capsman connection
Have a router with capsman, two identical cAPs (model = cAPGi-5HaxD2HaxD), one is connected, the other bitching: ssl no trusted CA certificate found ( resp. “disconnected, connectiong interrupted” at the router/capsman logs )
config at this part is identical at both AP’s:
/interface wifi cap

set caps-man-addresses=192.168.69.1 certificate=request discovery-interfaces=bridge enabled=yes lock-to-caps-man=yes
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan69-pvt,*4 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg69-pvt radio-mac=00:00:00:00:00:00 slave-configurations=cfg16-pub,cfg21-iot

certificates @ working one:

[admin@Patio] > /certificate/print
Flags: K - PRIVATE-KEY; T - TRUSTED
Columns: NAME, COMMON-NAME, SKID
#    NAME              COMMON-NAME                   SKID                                    
0  T _0                WiFi-CAPsMAN-CA-4C5E0CD37561  82054501ef8dcd55d8980f5883cdfc9892c8a53d
1 K  CAP-789A189246C3  CAP-789A189246C3              f2dc369ccc799187ffa30f41401e91379880d6c6

and @ the failing one:

[admin@CAP-Indoor] > /certificate/print
Flags: K - PRIVATE-KEY; T - TRUSTED
Columns: NAME, COMMON-NAME, SKID
#    NAME              COMMON-NAME                   SKID                                    
0  T _0                WiFi-CAPsMAN-CA-4C5E0CD37561  82054501ef8dcd55d8980f5883cdfc9892c8a53d
1 K  CAP-789A189242F5  CAP-789A189242F5

I’ve tried to remove certs and try to re-join the failing one, but ended up at the same corner.
FrOm GUI point of view - I’m able to join to the Capsman first time, got a cert but if I enable the “Lock To Capsman”, it starts complaining and I totaly out. Not just lock, but even join is not working.

Any advice/ suggestion available ?
note the capsman/wifiwave is completely new to me and there could be some glitch somewhere else, but both configs seems very identical to me.

klaeuser · April 16, 2024, 3:21pm

I’m facing this too in 7.14.2.

I created users and certificates using this guide:

https://help.mikrotik.com/docs/display/ROS/Enterprise+wireless+security+with+User+Manager+v5

Nevertheless user manager keeps on complaining “EAP rejected for user: <some_user_name> ssl: no trusted CA certificate found”

Brain2000 · October 29, 2024, 11:45pm

I’m trying to figure this out too. I guess this has been broken for a long time now.

Brain2000 · October 29, 2024, 11:59pm

I just found something… it appears all certificates are created with invalid dates.

Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 T name=“WiFi-CAPsMAN-CA-D401C3F3DB93” issuer=CN=WiFi-CAPsMAN-CA-D401C3F3DB93 digest-algorithm=sha384
key-type=ec common-name=“WiFi-CAPsMAN-CA-D401C3F3DB93” key-size=secp384r1 subject-alt-name=“”
days-valid=24854 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
serial-number=“05506ecfe9f6a25e”
fingerprint=“b9df88d3adc62c54736568383aa1501f9b2027a52f67b931ac4cd52110e13f4c” akid=“”
skid=7c64606b00560e3a7b4f9479f6966ce3bacff807 invalid-before=2106-02-07 02:28:17
invalid-after=2174-02-24 05:42:23 expires-after=689w5d3h15m53s

If we wait about 82 years, CAPSMAN might start working.

Coughy · October 30, 2024, 11:21am

certs working on 7.17beta
was broken on previous ros