hostapd eap configuration with Let's Encrypt Certificate

Question

I' trying to get hostapd working with eap-peap and a Let's encrypt certificate. When connecting with my Android phone though, it does not connect and complains the certificate was expired.

hostapd logs

wlan0: STA <mac> IEEE 802.11: authenticated
wlan0: STA <mac> IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED <mac>
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
SSL: SSL3 alert: read (remote end reported an error):fatal:certificate expired
OpenSSL: openssl_handshake - SSL_connect error:0A000415:SSL routines::sslv3 alert certificate expired
wlan0: CTRL-EVENT-EAP-FAILURE <mac>
wlan0: STA <mac> IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA <mac> IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan0: STA <mac> IEEE 802.11: deauthenticated due to local deauth request

Client configuration EAP Method: PEAP Identity: Password: CA-Certificate: Use System Certificate Domain: Phase2 Authentication: MSCHAPV2 Anonymous Identity:

When configuring the CA-Certificate validation mode to "no validation" however, the connection works flawlessly.

Certificate

> openssl x509 -in /etc/hostapd/certs/server.pem  -text
[...]
        Validity
            Not Before: Jan 29 09:40:58 2023 GMT
            Not After : Apr 29 09:40:57 2023 GMT
        Subject: CN = <domain>
[...]

hostapd.conf

# EAP Settings
eap_server=1
ieee8021x=1
eapol_version=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
rsn_pairwise=CCMP
eap_user_file=/etc/hostapd/hostapd.eap_user
ca_cert=/etc/hostapd/certs/ca.pem
server_cert=/etc/hostapd/certs/server.pem
private_key=/etc/hostapd/certs/server.key

hostapd.eap_user

# Wildcard for all other identities
*               PEAP,TTLS,TLS

# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"testaccount1"      MSCHAPV2  "SuperSecretPassword1"       [2]

On my Windows machine, these settings work flawlessly, the certificate is presented to me and I can decide to accept it (or not). However, the validation method is very different on Windows.

I'm therefore wondering if any of you have experience with this on Android.

I'm also confused with the lines

wlan0: STA <mac> IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA <mac> IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)

This looks to me like I misconfigured somethin in eap_user - but then again it is working as long as certificate validation is not enabled.

Answer 1

For anyone looking for an answer to this:

Above configuration actually works flawlessly with Windows and iOS. Only getting Android to work requires a different configuration in hostapd.conf and on the Android device:

in hostapd.conf: For ca_cert, download the Root-CA that is used in the certificate chain for signature of the intermediate CA which signed your server.pem. In my case, this was ISRG Root X1. All Let's Encrypt certificates are available on https://letsencrypt.org/de/certificates/

For server_cert, the fullchain.pem file is used, containing the server certificate and the intermediate certificate chain.

on Android: Download the same Root CA and add it specifically as Wifi Certificate. This certificate needs to be selected when connecting.

It appears as if Android does not use the system certificate store or the system certificate store for wifi certificates does not contain the Let's Encrypt Root CA. Therefore, this CA needs to be added manually rendering the process on android much more complicated on unmanaged devices.