[strongSwan] No private key found for 'C=CA ...........'

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 1 08:37:29 CEST 2013


Hi Farid,

the startup warning

> !! Your strongswan.conf contains manual plugin load options for charon.
> !! This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

is intended for newbies like you who don't know what they are doing
when meddling around with the strongswan.conf load statement:

- The pkcs1 plugin is missing so your private key won't get parsed:

> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
> 00[CFG]   loading private key from '/etc/ipsec.d/private/lmu56Key.pem'
> failed

- The x509 plugin is missing so your certificates don't get parsed:

> 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
> 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
> failed

Just remove the load statement from strongswan.conf and you'll fare
much better!

Andreas

On 08/01/2013 04:35 AM, Farid Farid wrote:
> Thank you martin for the hint.
> 
> I added 'pem' in strongswan.conf (you can see strongswan.conf below): 
> But I still get the same output. Please see the
>>>ipsec start --no-fork output right after strongswan.conf
> This package is also installed : strongswan-mod-pem - 5.0.4-1
> 
> Is there anyother way to debug this to see why is not loading the keys? 
> 
> 
> 
> Appreciate your help.
> 
> Farid
> 
> 
> 
> 08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
> # strongswan.conf - strongSwan configuration
> file                                                                           
> 
>                                                                                                                             
> 
> charon
> {                                                                                                                    
> 
>                                                                                                                             
> 
>         # number of worker threads in
> charon                                                                                
> 
>         threads =
> 16                                                                                                        
> 
>         load = aes pem des sha1 sha2 md5 gmp random nonce hmac stroke
> kernel-netlink socket-default updown                  
>         # send strongswan vendor
> ID?                                                                                        
> 
>         # send_vendor_id =
> yes                                                                                              
> 
>                                                                                                                             
> 
>         plugins
> {                                                                                                           
> 
>                                                                                                                             
> 
>                 sql
> {                                                                                                       
> 
>                         # loglevel to log into sql
> database                                                                 
>                         loglevel =
> -1                                                                                       
> 
>                                                                                                                             
> 
>                         # URI to the
> database                                                                               
> 
>                         # database =
> sqlite:///path/to/file.db                                                              
> 
>                         # database =
> mysql://user:password@localhost/database                                               
> 
>                
> }                                                                                                           
> 
>        
> }                                                                                                                   
> 
>                                                                                                                             
> 
>         #
> ...                                                                                                               
> 
> }                                                                                                                           
> 
>                                                                                                                             
> 
> pluto
> {                                                                                                                     
> 
>                                                                                                                             
> 
> }                                                                                                                           
> 
>                                                                                                                             
> 
> libstrongswan
> {                                                                                                             
> 
>                                                                                                                             
> 
>         #  set to no, the DH exponent size is
> optimized                                                                     
> 
>         #  dh_exponent_ansi_x9_42 =
> no                                                                                      
> 
> }                                                                                                                           
> 
> ~                                                                     
> 
> root at LMU8K:~# ipsec start --nofork
> Starting strongSwan 5.0.4 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for charon.
> !! This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8,
> armv5tejl)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
> 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
> failed
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
> 00[CFG]   loading private key from '/etc/ipsec.d/private/lmu56Key.pem'
> failed
> 00[DMN] loaded plugins: charon aes pem des sha1 sha2 md5 gmp random
> nonce hmac stroke kernel-netlink socket-default updown
> 00[JOB] spawning 16 worker threads
> charon (2628) started after 80 ms
> 08[CFG] received stroke: add connection 'lmu56'
> 08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
> 08[CFG]   loading certificate from 'lmu56Cert.pem' failed
> 08[CFG] added configuration 'lmu56'
> 
> 
> 
> 
> ------------------------------------------------------------------------
> *From:* Martin Willi <martin at strongswan.org>
> *To:* Farid Farid <farid21657 at yahoo.com>
> *Cc:* "users at lists.strongswan.org" <users at lists.strongswan.org>
> *Sent:* Sunday, July 28, 2013 12:19 AM
> *Subject:* Re: [strongSwan] No private key found for 'C=CA ...........'
> 
> Hi Farid,
> 
>> !! Your strongswan.conf contains manual plugin load options for charon.
>> !! This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> 
> This warning pops up for specific reason:
> 
>> 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce
> hmac stroke kernel-netlink socket-default updown
> 
> You didn't load the pem plugin, hence
> 
>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
>> 00[CFG]  loading private key from '/etc/ipsec.d/private/lmu55Key.pem'
> failed
> 
> loading a PEM encoded private key fails.
> 
> Regards
> Martin
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130801/4fcb380d/attachment.bin>


More information about the Users mailing list