OpenOTP PKi login failed - SSL certificate verify failed
14 views
Skip to first unread message
Roland Schnabl
Jan 15, 2026, 9:08:32 AM (yesterday) Jan 15
to RCDevs Security
Dear Support Team,
We are encountering an issue with our OpenOTP RADIUS Bridge where authentication is failing for EAP-TLS sessions. The process seems to successfully complete the initial handshake, but fails at the OpenOTP PKi login stage.
Symptoms:
The RADIUS debug log shows rlm_openotp: Sending openotpPKILogin request followed immediately by OpenOTP PKi login failed.
This results in an OpenSSL error: error:0A000086:SSL routines::certificate verify failed.
The client certificate details appear to be read correctly before the failure.
We have attached the anonymized debug logs below for your review. Could you please assist in troubleshooting this PKI login failure?
Anonymized Debug Log:
Best regards
Schnabl
We are encountering an issue with our OpenOTP RADIUS Bridge where authentication is failing for EAP-TLS sessions. The process seems to successfully complete the initial handshake, but fails at the OpenOTP PKi login stage.
Symptoms:
The RADIUS debug log shows rlm_openotp: Sending openotpPKILogin request followed immediately by OpenOTP PKi login failed.
This results in an OpenSSL error: error:0A000086:SSL routines::certificate verify failed.
The client certificate details appear to be read correctly before the failure.
We have attached the anonymized debug logs below for your review. Could you please assist in troubleshooting this PKI login failure?
Anonymized Debug Log:
Best regards
Schnabl
Spyridon Gouliarmis (RCDevs)
Jan 15, 2026, 9:19:52 AM (yesterday) Jan 15
to RCDevs Security
Hello Roland,
the certificate [chain] presented by WebADM on TCP port 8443 (or whatever server_url says in /opt/radiusd/con/radiusd.conf) is not signed by the CA in /opt/radiusd/conf/ca.crt . Normally this does not happen, as the /opt/radiusd/bin/setup script retrieves WebADM's CA cert, which does not change, and the certificate presented, /opt/webadm/pki/webadm.crt, is automatically generated by the setup script and re-generated by the startup script when close to peremption date.
the certificate [chain] presented by WebADM on TCP port 8443 (or whatever server_url says in /opt/radiusd/con/radiusd.conf) is not signed by the CA in /opt/radiusd/conf/ca.crt . Normally this does not happen, as the /opt/radiusd/bin/setup script retrieves WebADM's CA cert, which does not change, and the certificate presented, /opt/webadm/pki/webadm.crt, is automatically generated by the setup script and re-generated by the startup script when close to peremption date.
From your radiusd host, what does this output:
openssl s_client -showcerts -connect your.webadm.host:8443 -CAfile /opt/radiusd/conf/ca.crt
Reply all
Reply to author
Forward
0 new messages