[strongSwan] No capable fetcher found

Claude Tompers claude.tompers at restena.lu
Thu Jun 24 13:07:08 CEST 2010


Yes, make clean has been executed before recompiling,

Explicitly loading the curl module did not help either :

Jun 24 13:05:18 vpn6-test pluto[28289]: loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp attr
...
Jun 24 13:05:46 vpn6-test pluto[28289]:   fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
Jun 24 13:05:46 vpn6-test pluto[28289]:   crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained
Jun 24 13:05:46 vpn6-test pluto[28289]:   fetching crl from 'VPNCA-crl.pem' ...
Jun 24 13:05:46 vpn6-test pluto[28289]: unable to fetch from VPNCA-crl.pem, no capable fetcher found
Jun 24 13:05:46 vpn6-test pluto[28289]: crl fetching failed
Jun 24 13:05:46 vpn6-test pluto[28289]: "cisco-vpn"[1] 192.168.1.180:59907 #1: X.509 certificate rejected

regards,
Claude


On Thursday 24 June 2010 12:58:17 Andreas Steffen wrote:
> Here a follow up comment:
> 
> If you are *not* using an explicit pluto.load statement then
> do not forget to execute
> 
>    make clean
> 
> before recompiling strongSwan with --enable-curl, since otherwise
> the default pluto plugin load list will not be updated.
> 
> Andreas
> 
> On 24.06.2010 12:54, Andreas Steffen wrote:
> > Hi Claude,
> >
> > if you are using an explicit pluto.load statement in strongswan.conf
> > then you must add curl to the plugin list.
> >
> > Andreas
> >
> > On 24.06.2010 12:52, Claude Tompers wrote:
> >> Thanks for your fast answer.
> >>
> >> I did recompile, the error message is now slightly different, but the
> >> outcome is the same. :(
> >>
> >> Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from
> >> 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> >> Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010
> >> is not newer - existing crl from May 21 08:12:40 2010 retained
> >> Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from
> >> 'VPNCA-crl.pem' ...
> >> Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from
> >> VPNCA-crl.pem, no capable fetcher found
> >> Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed
> >> Jun 24 12:47:48 vpn6-test pluto[1705]: "cisco-vpn"[1]
> >> 192.168.1.180:64053 #1: X.509 certificate rejected
> >>
> >> regards,
> >> Claude
> >>
> >> On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote:
> >>> Hmmm, its seems that the curl plugin is required to
> >>> refetch CRLs from the local file system. Compile
> >>> strongSwan with
> >>>
> >>> ./configure --enable-curl
> >>>
> >>> Regards
> >>>
> >>> Andreas
> >>>
> >>> On 24.06.2010 11:51, Claude Tompers wrote:
> >>>> Hello,
> >>>>
> >>>> My strongswan server is unable to refetch crls.
> >>>> When the server starts, it reads the crl correctly, but if a client
> >>>> tries to connect, the refetch fails and so the connection fails.
> >>>>
> >>>> Here's the log :
> >>>>
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from
> >>>> 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from
> >>>> file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher
> >>>> found
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from
> >>>> 'VPNCA-crl.pem' ...
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from
> >>>> VPNCA-crl.pem, no capable fetcher found
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed
> >>>> Jun 24 11:46:46 vpn6-test pluto[13321]: "cisco-vpn"[1]
> >>>> 192.168.1.180:59262 #1: X.509 certificate rejected
> >>>>
> >>>> The permissions on the crl are :
> >>>> -rw------- 1 root root 1064 May 21 08:13
> >>>> /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem
> >>>>
> >>>> Any ideas ?
> >>>>
> >>>> thanks very much
> >>>> Claude
> >
> > ======================================================================
> > Andreas Steffen andreas.steffen at strongswan.org
> > strongSwan - the Linux VPN Solution! www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
> >
> 
> 
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100624/903a2d3b/attachment.pgp>


More information about the Users mailing list