FreeRADIUS出现bad_certificate问题

在执行EAP-TLS认证过程中，可能会出现下面的错误（但是使用openssl验证证书却没有发现问题）：

rad_recv: Access-Request packet from host 192.168.1.100 port 60774, id=97, length=275

       User-Name = "[email protected]"

       NAS-IP-Address = 192.168.1.100

       NAS-Port = 0

       Called-Station-Id = "00-11-74-D0-39-80:Scott_2.4_08"

       Calling-Station-Id = "3C-A9-F4-74-72-8C"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x02c000650d005db20b491882d8b2836a3e7367ced892ee79feab01ab063fe93e6c0fa118a3d29d892641140301000101160301003053da9ab27c15fdcf594be064427ba01a8b89b99921da699a19614c042348123d63c9f8bee6f9d3d73033fe169485e35e

       State = 0x7100e50775c0e8bbcfd83df2c247dfbc

       Message-Authenticator = 0x0a8f6ba7555c880f5fd685b040c23f1d

# Executing section authorize from file /etc/freeradius2/sites/default

+group authorize {

[eap] EAP packet type response id 192 length 101

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /etc/freeradius2/sites/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] eaptls_verify returned 7

[tls] Done initial handshake

[tls] <<< TLS 1.0 Handshake [length 03dd], Certificate  

--> verify error:num=9:certificate is not yet valid

[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate  

TLS Alert write:fatal:bad certificate

   TLS_accept: error in SSLv3 read client certificate B

rlm_eap: SSL error error:140890B2:lib(20):func(137):reason(178)

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

[tls] eaptls_process returned 4

[eap] Handler failed in EAP/tls

[eap] Failed in EAP select

++[eap] = invalid

+} # group authenticate = invalid

Failed to authenticate the user.

Delaying reject of request 67 for 1 seconds

Going to the next request

Waking up in 0.2 seconds.

Cleaning up request 60 ID 90 with timestamp +212

Waking up in 0.7 seconds.

Sending delayed reject for request 67

Sending Access-Reject of id 97 to 192.168.1.100 port 60774

       EAP-Message = 0x04c00004

       Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 0.3 seconds.

跟踪openssl部分的代码可以发现，产生bad_certificate错误的原因可能是证书的时间检查出现了问题，此时需要检查系统时间与证书的有效期。最好修改系统时间在证书的开始时间之后。