RADIUS certificates

User @docholliday-sc001 describes a fix in resolution of issue #61:

CAVEAT: I just wanted to add a quick note about the WPA3 Radius - be sure to use a FQDN that isn't wildcard for the cert. Windows 10 (and other) machines will not accept it and it will fail to connect unless the host name of the server is part of the cert.

I actually got it to work in RADIUS, with a nasty little hack in the newest 4.1.11 / 9.0.106 (and in the previous versions also).

Freeradius loads the certs in /etc/freeradius/3.0/mods-enabled/ using the symlink for 'eap'. The target of that symlink is what the unifi config overwrites with it's own path to the cert files. So, I nuked the symlink and dropped my own eap file (stored at /data/scripts/freeradius/eap for convenience/reinstall) in it's place. I copied the original target, then modified a few sections:

tls-config tls-common { \
  private_key_file = /data/ubios-cert/acme.sh/domain-name/domain-name.us.key \
  certificate_file = /data/ubios-cert/acme.sh/domain-name.us/domain-name.us.cer \
  ca_file = /data/ubios-cert/acme.sh/domain-name.us/ca.cer \
  dh_file = ${certdir}/dh \
  ca_path = ${cadir} \
  fragment_size = 1344 \
  auto_chain = yes

and

tls-config tls-alt { \
  private_key_file = /data/ubios-cert/acme.sh/domain-name.us/domain-name.us.key \
  certificate_file = /data/ubios-cert/acme.sh/domain-name.us/domain-name.us.cer \
  ca_file = /data/ubios-cert/acme.sh/domain-name.us/ca.cer \
  dh_file = ${certdir}/dh \
  ca_path = ${cadir}

Then, dropped a script into the on-boot.d directory to check on restart:

mda=/etc/freeradius/3.0/mods-available/eap

if [ -L $mda ]; then
rm $mda
fi

if [ ! -e $mda ]; then
cp /data/scripts/freeradius/eap $mda
pkill -f freeradius
fi

And now my WPA3-Enterprise uses the Let's Encrypt cert directly for RADIUS (as well as wired RADIUS clients). As far as the original unifi crap goes, it thinks all is well with it's own changes since it still changes the target file. Maybe that will give you an idea of what might work...