[strongSwan] Intermediate CAs unknown to peer?

Shea Levy shea at shealevy.com
Wed Oct 1 03:46:34 CEST 2014 

Hi Andreas,

I'm getting the following error on startup when trying to use pkcs12:

> Oct 01 03:16:13 machine2 charon[2576]: 00[LIB] building CRED_CONTAINER - PKCS12 failed, tried 2 builders
> Oct 01 03:16:13 machine2 charon[2576]: 00[CFG]   loading credentials from '/etc/x509/strongswan.p12' failed

strace shows the file being opened and mmapped just before this failure.

Config files: https://gist.github.com/shlevy/cab44a79c200140c5647

~Shea

On Thu, Sep 25, 2014 at 08:43:06AM +0200, Andreas Steffen wrote:
> Hi Shea,
> 
> concatenating multiple certificates into a single PEM file is not
> supported by strongSwan. You could import the user certificate,
> the corresponding private key and the trust chain via a key file
> in PKCS#12 format as in the following example:
> 
> http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.secrets
> 
> The user certificate and any intermediate certificates will be
> sent to the peer via the IKE protocol.
> 
> In ipsec.conf you don't need a leftcert parameter. Just indicate
> leftid so that the matching user certificate can be found.
> 
> http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.conf
> 
> Best regards
> 
> Andreas
> 
> On 09/24/2014 10:14 PM, Shea Levy wrote:
> > Hi all,
> > 
> > I have the setup described at [1] working currently.
> > shea-intermediate.crt is signed by zalora-ca.crt, and each machine's
> > cert in /etc/x509 is signed by and concatenated with
> > shea-intermediate.crt. If I remove the 'ca inter' section from each
> > config, I get:
> > 
> >> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-ebc130d19292466287791571653eac79, E=it-services at zalora.com"
> > 
> > Is there any way to get this to work without each machine needing to
> > know about the intermediate cas that may be used by the others? Since
> > the intermediate ca is signed by the root ca and bundled with the
> > end-user ca, it seems like it shouldn't be necessary...
> > 
> > ~Shea
> > 
> > [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list