[strongSwan] Intermediate CAs unknown to peer?

Shea Levy shea at shealevy.com
Wed Oct 1 21:08:59 CEST 2014


Got it, turned out to be the result of a cert getting corrupted.

On Tue, Sep 30, 2014 at 09:46:34PM -0400, Shea Levy wrote:
> Hi Andreas,
> 
> I'm getting the following error on startup when trying to use pkcs12:
> 
> > Oct 01 03:16:13 machine2 charon[2576]: 00[LIB] building CRED_CONTAINER - PKCS12 failed, tried 2 builders
> > Oct 01 03:16:13 machine2 charon[2576]: 00[CFG]   loading credentials from '/etc/x509/strongswan.p12' failed
> 
> strace shows the file being opened and mmapped just before this failure.
> 
> Config files: https://gist.github.com/shlevy/cab44a79c200140c5647
> 
> ~Shea
> 
> On Thu, Sep 25, 2014 at 08:43:06AM +0200, Andreas Steffen wrote:
> > Hi Shea,
> > 
> > concatenating multiple certificates into a single PEM file is not
> > supported by strongSwan. You could import the user certificate,
> > the corresponding private key and the trust chain via a key file
> > in PKCS#12 format as in the following example:
> > 
> > http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.secrets
> > 
> > The user certificate and any intermediate certificates will be
> > sent to the peer via the IKE protocol.
> > 
> > In ipsec.conf you don't need a leftcert parameter. Just indicate
> > leftid so that the matching user certificate can be found.
> > 
> > http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.conf
> > 
> > Best regards
> > 
> > Andreas
> > 
> > On 09/24/2014 10:14 PM, Shea Levy wrote:
> > > Hi all,
> > > 
> > > I have the setup described at [1] working currently.
> > > shea-intermediate.crt is signed by zalora-ca.crt, and each machine's
> > > cert in /etc/x509 is signed by and concatenated with
> > > shea-intermediate.crt. If I remove the 'ca inter' section from each
> > > config, I get:
> > > 
> > >> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-ebc130d19292466287791571653eac79, E=it-services at zalora.com"
> > > 
> > > Is there any way to get this to work without each machine needing to
> > > know about the intermediate cas that may be used by the others? Since
> > > the intermediate ca is signed by the root ca and bundled with the
> > > end-user ca, it seems like it shouldn't be necessary...
> > > 
> > > ~Shea
> > > 
> > > [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc
> > 
> > ======================================================================
> > Andreas Steffen                         andreas.steffen at strongswan.org
> > strongSwan - the Open Source VPN Solution!          www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
> > 
> 
> 


More information about the Users mailing list