Skip to content
Docs

Troubleshoot RADSEC & TLS Certificate Errors

Certificate configuration errors and RADSEC (RADIUS over TLS) issues are common in secure RADIUS deployments. This guide covers certificate management, RADSEC configuration, and TLS troubleshooting.

Overview

Section titled “Overview”

Mideye Server uses certificates for:

  • Web interface HTTPS — TLS for web administration
  • RADSEC — RADIUS over TLS for secure RADIUS communication
  • LDAPS — LDAP over SSL/TLS

Common Error Messages

Section titled “Common Error Messages”
ErrorDescription
”Keystore file not found”Certificate keystore missing or wrong path
”Failed to initialize SSL context from keystore”Keystore loading failed
”Certificate validation failed”Certificate not trusted or invalid
”SSL handshake failed”TLS negotiation failure
”Certificate has expired”Certificate past validity period

Managing Certificates via the Web Interface

Section titled “Managing Certificates via the Web Interface”

The recommended way to manage certificates is through the Certificate Management page in the web administration interface. This is the safest method and avoids the risk of breaking the keystore with command-line operations.

Use the web interface to:

  • View current certificate details (subject, issuer, expiration)
  • Upload new certificates
  • Generate certificate signing requests (CSR)

Self-Signed Certificate Issues

Section titled “Self-Signed Certificate Issues”

Overview

Section titled “Overview”

During installation, Mideye Server generates a self-signed certificate for HTTPS and RADSEC. While functional, self-signed certificates cause browser warnings and may not be trusted by RADSEC clients.

Symptoms

Section titled “Symptoms”
  • Browser shows “Your connection is not private” warning
  • RADSEC clients fail with certificate validation errors
  • Certificate warnings in logs

Diagnostic Steps

Section titled “Diagnostic Steps”

  1. Check certificate in the web interface:

  2. If web interface is not accessible, check from command line:

    Linux:

    Terminal window
    ls -la /opt/mideyeserver6/config/keystore.p12

    Windows:

    Terminal window
    Test-Path "C:\Program Files\Mideye Server\config\keystore.p12"

  3. Test TLS connection:

    Linux:

    Terminal window
    echo | openssl s_client -connect localhost:8080 2>/dev/null | \
      openssl x509 -noout -subject -issuer -dates

Solution

Section titled “Solution”

Option 1: Use the Certificate Management Page (Recommended)

Use the Certificate Management page to upload a CA-signed certificate. This is the safest approach.

Option 2: Accept Self-Signed Certificate (Testing Only)

For testing/development only:

  • Accept browser warning
  • Import cert into client trust store

Option 3: Install CA-Signed Certificate via Command Line

Only use this if the web interface is not accessible.

Warning: Modifying the keystore via command line can break the service. Always back up the existing keystore before making changes.

Linux:

Terminal window
# Back up existing keystore
sudo cp /opt/mideyeserver6/config/keystore.p12 \
  /opt/mideyeserver6/config/keystore.p12.backup.$(date +%Y%m%d)


# Create PKCS12 keystore from certificate files
openssl pkcs12 -export \
  -in server.crt \
  -inkey server.key \
  -certfile ca-chain.crt \
  -out /opt/mideyeserver6/config/keystore.p12 \
  -name mideyeserver \
  -password pass:changeit


# Set permissions
sudo chown mideye:mideye /opt/mideyeserver6/config/keystore.p12
sudo chmod 660 /opt/mideyeserver6/config/keystore.p12


# Restart service
sudo systemctl restart mideyeserver6

Verify new certificate:

Terminal window
echo | openssl s_client -connect localhost:8080 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates

RADSEC Configuration Issues

Section titled “RADSEC Configuration Issues”

Overview

Section titled “Overview”

RADSEC (RADIUS over TLS) provides encrypted RADIUS communication using TLS on port 2083 (RFC 6614).

RADSEC Configuration Modes

Section titled “RADSEC Configuration Modes”

Mideye Server supports two certificate configuration modes:

Mode 1: External PEM Files (Recommended for Production)

Uses separate PEM certificate and private key files:

radsec:
  enabled: true
  port: 2083
  ssl:
    private-key-path: /opt/radsec/server/key.pem
    certificate-chain-path: /opt/radsec/server/cert.pem

Mode 2: Internal Keystore

Uses the existing PKCS12 keystore (same as web interface).

Verifying RADSEC is Running

Section titled “Verifying RADSEC is Running”

Linux:

Terminal window
ss -tlnp | grep 2083

Windows:

Terminal window
Get-NetTCPConnection -LocalPort 2083 -ErrorAction SilentlyContinue

Testing RADSEC Connection

Section titled “Testing RADSEC Connection”
Terminal window
openssl s_client -connect localhost:2083 -showcerts

RADSEC Certificate Loading Failures

Section titled “RADSEC Certificate Loading Failures”

Problem: Keystore File Not Found

Section titled “Problem: Keystore File Not Found”

Cause: File doesn’t exist, wrong path, or incorrect permissions.

Solution:

  1. Verify file exists:

    Linux:

    Terminal window
    ls -la /opt/mideyeserver6/config/keystore.p12

    Windows:

    Terminal window
    Get-Item "C:\Program Files\Mideye Server\config\keystore.p12"

  2. Fix permissions (Linux):

    Terminal window
    sudo chown mideye:mideye /opt/mideyeserver6/config/keystore.p12
    sudo chmod 660 /opt/mideyeserver6/config/keystore.p12

  3. Verify configuration path in the application configuration file

Problem: External Certificate Files Not Found

Section titled “Problem: External Certificate Files Not Found”

Solution:

Linux:

Terminal window
# Create certificate directory
sudo mkdir -p /opt/radsec/server
sudo chown mideye:mideye /opt/radsec/server


# Copy and secure certificate files
sudo cp server.crt /opt/radsec/server/cert.pem
sudo cp server.key /opt/radsec/server/key.pem
sudo chown mideye:mideye /opt/radsec/server/*.pem
sudo chmod 640 /opt/radsec/server/*.pem

Problem: Invalid Certificate Format

Section titled “Problem: Invalid Certificate Format”

Cause: Certificate not in PEM format, or private key is encrypted.

Solution:

  1. Verify PEM format:

    Terminal window
    head -1 /opt/radsec/server/cert.pem
    # Should show: -----BEGIN CERTIFICATE-----
    

    head -1 /opt/radsec/server/key.pem
    # Should show: -----BEGIN PRIVATE KEY-----

  2. Convert DER to PEM if needed:

    Terminal window
    openssl x509 -inform DER -in cert.der -out cert.pem
    openssl rsa -inform DER -in key.der -out key.pem

  3. Include full certificate chain:

    Terminal window
    cat server.crt ca-intermediate.crt ca-root.crt > /opt/radsec/server/cert.pem

Certificate Expiration

Section titled “Certificate Expiration”

Symptoms

Section titled “Symptoms”
  • Sudden authentication failures
  • TLS handshake failures
  • Browser rejects connection
  • “Certificate has expired” errors in logs

Prevention

Section titled “Prevention”

  1. Check expiration regularly via the web interface:

  2. Check from command line:

    Linux:

    Terminal window
    # Check PEM certificate
    openssl x509 -in /opt/radsec/server/cert.pem -noout -dates
    

    # Check web interface certificate
    echo | openssl s_client -connect localhost:8080 2>/dev/null | \
      openssl x509 -noout -dates

  3. Set up monitoring: Create a scheduled check for certificates expiring within 30 days

Solution

Section titled “Solution”
  1. Renew the certificate before expiration
  2. Install the new certificate via the Certificate Management page
  3. Restart service if required

TLS Version and Cipher Configuration

Section titled “TLS Version and Cipher Configuration”

Default Configuration

Section titled “Default Configuration”

Mideye Server supports TLS 1.2 and TLS 1.3 by default.

Testing TLS Configuration

Section titled “Testing TLS Configuration”
Terminal window
# Test TLS 1.2
openssl s_client -connect localhost:2083 -tls1_2


# Test TLS 1.3
openssl s_client -connect localhost:2083 -tls1_3

RADSEC Client Authentication

Section titled “RADSEC Client Authentication”

Overview

Section titled “Overview”

RADSEC can require client certificates for mutual TLS (mTLS) authentication. This is configured in the application configuration file.

Configuring Client Certificate Validation

Section titled “Configuring Client Certificate Validation”

Set up a trust store containing the CA certificates of your RADSEC clients.

Common RADSEC Issues

Section titled “Common RADSEC Issues”

Port Already in Use:

Linux:

Terminal window
sudo lsof -i :2083

Windows:

Terminal window
Get-Process -Id (Get-NetTCPConnection -LocalPort 2083).OwningProcess

Firewall Blocking:

Linux:

Terminal window
sudo ufw allow 2083/tcp

Windows:

Terminal window
New-NetFirewallRule -DisplayName "RADSEC" -Direction Inbound -Protocol TCP -LocalPort 2083 -Action Allow

Certificate Chain Issues:

Terminal window
openssl verify -CAfile ca-chain.crt server.crt
# Should output: server.crt: OK

Certificate Best Practices

Section titled “Certificate Best Practices”
  1. Use CA-signed certificates in production — Not self-signed
  2. Manage certificates via the web interface — Safer than command-line operations
  3. Monitor certificate expiration — Renew before expiry
  4. Use strong key sizes — Minimum 2048-bit RSA or 256-bit ECC
  5. Include full certificate chain — Server, intermediate, root CA
  6. Secure private keys — Proper file permissions, never expose
  7. Back up certificates — Encrypted backup in secure location
  8. Test certificates before deployment — Verify on test system first
  9. Document certificate configuration — Where, what, when it expires

Getting Help

Section titled “Getting Help”

If certificate/RADSEC issues persist:

  1. Collect diagnostic information:

    • Certificate details from the Certificate Management page
    • RADSEC connection test results
    • Error messages from logs

  2. Contact Mideye Support with:

    • Certificate details (never share private keys)
    • RADSEC configuration
    • Error messages
    • TLS test results