Eduroam refusing to connect due to certificate verification error

Hello.
I am trying to connect to my university’s WPA2E eduroam network, but cannot. These are the logs from journalctl. Omitted values are typically a MAC address. Probably unnecessary, but hey.
Other networks seem to work fine. Just this one, really.

Jan 07 13:30:18 phosphor kernel: wlp4s0: deauthenticated from [omitted] (Reason: 23=IEEE8021X_FAILED)
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: OpenSSL: openssl_handshake - SSL_connect error:0A000086:SSL routines::certificate verify failed
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/CN=FGCU-Radius03.primary.ad.fgcu.edu' err='CA signature digest algorithm too weak'
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: TLS: Certificate verification failed, error 68 (CA signature digest algorithm too weak) depth 0 for '/CN=FGCU-Radius03.primary.ad.fgcu.edu'
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:FGCU-Radius03.primary.ad.fgcu.edu
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=FGCU-Radius03.primary.ad.fgcu.edu' hash=[omittedhash]
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jan 07 13:30:18 phosphor kernel: wlp4s0: Limiting TX power to 30 (30 - 0) dBm as advertised by [omitted]
Jan 07 13:30:18 phosphor NetworkManager[1194]: <info>  [1736274618.4279] device (p2p-dev-wlp4s0): supplicant management interface state: associating -> associated
Jan 07 13:30:18 phosphor NetworkManager[1194]: <info>  [1736274618.4278] device (wlp4s0): supplicant interface state: associating -> associated
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=US
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: Associated with [omitted]
Jan 07 13:30:18 phosphor kernel: wlp4s0: associated
Jan 07 13:30:18 phosphor kernel: wlp4s0: RX AssocResp from [omitted] (capab=0x431 status=0 aid=27)
Jan 07 13:30:18 phosphor kernel: wlp4s0: associate with [omitted] (try 1/3)
Jan 07 13:30:18 phosphor NetworkManager[1194]: <info>  [1736274618.3893] device (p2p-dev-wlp4s0): supplicant management interface state: authenticating -> associating
Jan 07 13:30:18 phosphor NetworkManager[1194]: <info>  [1736274618.3892] device (wlp4s0): supplicant interface state: authenticating -> associating
Jan 07 13:30:18 phosphor NetworkManager[1194]: <info>  [1736274618.3891] device (p2p-dev-wlp4s0): supplicant management interface state: scanning -> authenticating
Jan 07 13:30:18 phosphor NetworkManager[1194]: <info>  [1736274618.3890] device (wlp4s0): supplicant interface state: scanning -> authenticating
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: Trying to associate with [omitted] (SSID='eduroam' freq=2462 MHz)
Jan 07 13:30:18 phosphor kernel: wlp4s0: authenticated
Jan 07 13:30:18 phosphor kernel: wlp4s0: send auth to [omitted] (try 1/3)
Jan 07 13:30:18 phosphor kernel: wlp4s0: authenticate with [omitted] (local address=ce:f2:0b:ef:9d:2e)
Jan 07 13:30:18 phosphor wpa_supplicant[1264]: wlp4s0: SME: Trying to authenticate with [omitted] (SSID='eduroam' freq=2462 MHz)

If you need any more information, feel free to ask.

From the error it looks like the university’s router isn’t using correctly configured certificates, see e.g. networking - eduroam doesn't connect due to weak certificate signature digest - Ask Ubuntu
You can try to get them to fix it, or uncheck the require certificate option (not always possible, and huge security issue).

I’ve been told, and I quote, that "the university’s networking infrastructure is for Windows and MacOS only. Calling them again about the issue prompted them to pretty much say there was nothing they can do. I am not switching back to Windows. Is there a way to mitigate the security risks presented by this solution?
Also, would the fix from that forum post be directly translatable to Fedora, or would I need to do something else?

If it’s any consolation, I had very similar experiences with university IT departments, won’t name names. Even when you point out that their implementation is broken irrespective of OS, sometimes when you mention Linux it’s enough for them to just wash their hands of the issue.

In any case, I just checked and on Fedora (40) the same openssl config file exists as referenced in the answer, so you can try (after a backup) to see if that resolves it.
For my (current) eduroam site the issue doesn’t occur so I can’t test the suggestion.
To compensate for the lower security, you can run a vpn over the eduroam connection, but that doesn’t always work.
Alternatively, if you have a spare phone, you can connect it to eduroam, and share the wifi connection (again with VPN if possible).
Hope it works for you,

Attempting to follow the attached guide gives this in journalctl:

Jan 07 14:00:56 phosphor NetworkManager[1194]: <info>  [1736276456.8447] manager: NetworkManager state is now DISCONNECTED
Jan 07 14:00:56 phosphor NetworkManager[1194]: <info>  [1736276456.8440] device (wlp4s0): state change: config -> failed (reason 'no-secrets', managed-type: 'full')
Jan 07 14:00:56 phosphor kernel: wlp4s0: deauthenticating from [omitted] by local choice (Reason: 3=DEAUTH_LEAVING)
Jan 07 14:00:56 phosphor NetworkManager[1194]: <warn>  [1736276456.8439] device (wlp4s0): Activation: (wifi) association took too long
Jan 07 14:00:34 phosphor kernel: wlp4s0: Limiting TX power to 30 (30 - 0) dBm as advertised by [omitted]
Jan 07 14:00:34 phosphor NetworkManager[1194]: <info>  [1736276434.3319] device (p2p-dev-wlp4s0): supplicant management interface state: associating -> associated
Jan 07 14:00:34 phosphor NetworkManager[1194]: <info>  [1736276434.3319] device (wlp4s0): supplicant interface state: associating -> associated
Jan 07 14:00:34 phosphor wpa_supplicant[27854]: wlp4s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=US
Jan 07 14:00:34 phosphor wpa_supplicant[27854]: wlp4s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 07 14:00:34 phosphor wpa_supplicant[27854]: wlp4s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 07 14:00:34 phosphor wpa_supplicant[27854]: wlp4s0: Associated with [omitted]
Jan 07 14:00:34 phosphor kernel: wlp4s0: associated
Jan 07 14:00:34 phosphor kernel: wlp4s0: RX AssocResp from [omitted] (capab=0x11 status=0 aid=40)
Jan 07 14:00:34 phosphor NetworkManager[1194]: <info>  [1736276434.2995] device (p2p-dev-wlp4s0): supplicant management interface state: authenticating -> associating
Jan 07 14:00:34 phosphor NetworkManager[1194]: <info>  [1736276434.2995] device (wlp4s0): supplicant interface state: authenticating -> associating
Jan 07 14:00:34 phosphor kernel: wlp4s0: associate with [omitted] (try 1/3)
Jan 07 14:00:34 phosphor wpa_supplicant[27854]: wlp4s0: Trying to associate with [omitted] (SSID='eduroam' freq=5745 MHz)

Still doesn’t connect. To be specific, I followed the guide linked in the stackexchange post in which it only changes the configuration for wpa_supplicant, the only change being that security level was set to 0 instead of 1 for reasons described in the post you originally linked.

Thank you, IT department.

There are many threads about issues with eduroam and many show solutions.
Search here for “eduroam”

Try reviewing the different threads on this issue and see if any of the fixes may work for you.

Allow SHA-1 using crypto-policies

1 Like