[strongSwan] No capable fetcher found

Claude Tompers claude.tompers at restena.lu
Thu Jun 24 13:43:16 CEST 2010 

Shame on me !
I completely forgot that I set the validity period of the crl to 30 days.
As I'm only using tinyca for the moment, the crls are not regenerated automatically.
My fault, sorry, it works now again.

thanks very much for your help

kind regards,
Claude

On Thursday 24 June 2010 13:19:30 Andreas Steffen wrote:
> On closer inspection I see that the crl has been successfully
> fetched but that the information is stale:
> 
> : fetching crl from
>    'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> : crl from May 21 08:12:40 2010 is not newer - existing crl from
>    May 21 08:12:40 2010 retained
> 
> pluto then probably tries to evaluate a CRL distribution point (CDP)
> extracted from the certificate
> 
> : fetching crl from 'VPNCA-crl.pem' ...
> : unable to fetch from VPNCA-crl.pem, no capable fetcher found
> 
> Since 'VPNCA-crl.pem' is not a valid absolute URI the error
> 
> : unable to fetch from VPNCA-crl.pem, no capable fetcher found
> 
> is returned. Currently strongSwan supports only CDPs of
> the form http://<server>/<path>/<crl file>
> 
> but no relative CDPs of the form <crl file> where the location
> is defined in a separate AuthorityInfoAccess certificate extension.
> If you would like to have this feature supported in a future
> strongSwan release, please send me your certificate so that
> I can analyze it.
> 
> Regards
> 
> Andreas
> 
> On 24.06.2010 13:07, Claude Tompers wrote:
> > Yes, make clean has been executed before recompiling,
> >
> > Explicitly loading the curl module did not help either :
> >
> > Jun 24 13:05:18 vpn6-test pluto[28289]: loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp attr
> > ...
> > Jun 24 13:05:46 vpn6-test pluto[28289]:   fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> > Jun 24 13:05:46 vpn6-test pluto[28289]:   crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained
> > Jun 24 13:05:46 vpn6-test pluto[28289]:   fetching crl from 'VPNCA-crl.pem' ...
> > Jun 24 13:05:46 vpn6-test pluto[28289]: unable to fetch from VPNCA-crl.pem, no capable fetcher found
> > Jun 24 13:05:46 vpn6-test pluto[28289]: crl fetching failed
> > Jun 24 13:05:46 vpn6-test pluto[28289]: "cisco-vpn"[1] 192.168.1.180:59907 #1: X.509 certificate rejected
> >
> > regards,
> > Claude
> >
> >
> > On Thursday 24 June 2010 12:58:17 Andreas Steffen wrote:
> >> Here a follow up comment:
> >>
> >> If you are *not* using an explicit pluto.load statement then
> >> do not forget to execute
> >>
> >>     make clean
> >>
> >> before recompiling strongSwan with --enable-curl, since otherwise
> >> the default pluto plugin load list will not be updated.
> >>
> >> Andreas
> >>
> >> On 24.06.2010 12:54, Andreas Steffen wrote:
> >>> Hi Claude,
> >>>
> >>> if you are using an explicit pluto.load statement in strongswan.conf
> >>> then you must add curl to the plugin list.
> >>>
> >>> Andreas
> >>>
> >>> On 24.06.2010 12:52, Claude Tompers wrote:
> >>>> Thanks for your fast answer.
> >>>>
> >>>> I did recompile, the error message is now slightly different, but the
> >>>> outcome is the same. :(
> >>>>
> >>>> Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from
> >>>> 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> >>>> Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010
> >>>> is not newer - existing crl from May 21 08:12:40 2010 retained
> >>>> Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from
> >>>> 'VPNCA-crl.pem' ...
> >>>> Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from
> >>>> VPNCA-crl.pem, no capable fetcher found
> >>>> Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed
> >>>> Jun 24 12:47:48 vpn6-test pluto[1705]: "cisco-vpn"[1]
> >>>> 192.168.1.180:64053 #1: X.509 certificate rejected
> >>>>
> >>>> regards,
> >>>> Claude
> >>>>
> >>>> On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote:
> >>>>> Hmmm, its seems that the curl plugin is required to
> >>>>> refetch CRLs from the local file system. Compile
> >>>>> strongSwan with
> >>>>>
> >>>>> ./configure --enable-curl
> >>>>>
> >>>>> Regards
> >>>>>
> >>>>> Andreas
> >>>>>
> >>>>> On 24.06.2010 11:51, Claude Tompers wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> My strongswan server is unable to refetch crls.
> >>>>>> When the server starts, it reads the crl correctly, but if a client
> >>>>>> tries to connect, the refetch fails and so the connection fails.
> >>>>>>
> >>>>>> Here's the log :
> >>>>>>
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from
> >>>>>> 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from
> >>>>>> file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher
> >>>>>> found
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from
> >>>>>> 'VPNCA-crl.pem' ...
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from
> >>>>>> VPNCA-crl.pem, no capable fetcher found
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed
> >>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: "cisco-vpn"[1]
> >>>>>> 192.168.1.180:59262 #1: X.509 certificate rejected
> >>>>>>
> >>>>>> The permissions on the crl are :
> >>>>>> -rw------- 1 root root 1064 May 21 08:13
> >>>>>> /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem
> >>>>>>
> >>>>>> Any ideas ?
> >>>>>>
> >>>>>> thanks very much
> >>>>>> Claude
> >>>
> >>> ======================================================================
> >>> Andreas Steffen andreas.steffen at strongswan.org
> >>> strongSwan - the Linux VPN Solution! www.strongswan.org
> >>> Institute for Internet Technologies and Applications
> >>> University of Applied Sciences Rapperswil
> >>> CH-8640 Rapperswil (Switzerland)
> >>> ===========================================================[ITA-HSR]==
> >>>
> >>
> >>
> >>
> >
> 
> 
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100624/e7c4d3ef/attachment.pgp>

More information about the Users mailing list