[strongSwan] Can't load certificates and keys via symlink

Jose Novacho jnovacho at yahoo.com
Thu Feb 9 16:55:23 CET 2017 

Hi,
I have setup strongSwan VPN on my Ubuntu 16.04 server. I'm using 
LetEncrypt certificates, and the ipsec daemon does no want to load the 
certificates from symbolic link.

The setup is following:

Contents of relevant directories:

/root at Trinity:/etc/ipsec.d/certs# ls -la//
celkem 8//
//drwxr-xr-x  2 root root 4096 úno  9 16:08 .///
//drwxr-xr-x 12 root root 4096 úno  8 20:36 ..///
//lrwxrwxrwx  1 root root   54 úno  9 16:08 fullchain.pem -> 
/etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem//

root at Trinity:/etc/letsencrypt/live/trinity.ingames.cz# ls -la
celkem 8
drwxr-xr-x 2 root root 4096 úno  6 20:51 .
drwx------ 3 root root 4096 úno  6 20:51 ..
lrwxrwxrwx 1 root root   42 úno  6 20:51 cert.pem -> 
../../archive/trinity.ingames.cz/cert1.pem
lrwxrwxrwx 1 root root   47 úno  6 20:51 fullchain.pem -> 
../../archive/trinity.ingames.cz/fullchain1.pem
lrwxrwxrwx 1 root root   43 úno  6 20:51 chain.pem -> 
../../archive/trinity.ingames.cz/chain1.pem
lrwxrwxrwx 1 root root   45 úno  6 20:51 privkey.pem -> 
../../archive/trinity.ingames.cz/privkey1.pem

root at Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
celkem 24
drwxr-xr-x 2 root root 4096 úno  6 20:51 .
drwx------ 3 root root 4096 úno  6 20:51 ..
-rw-r--r-- 1 root root 1805 úno  6 20:51 cert1.pem
-rw-r--r-- 1 root root 3452 úno  6 20:51 fullchain1.pem
-rw-r--r-- 1 root root 1647 úno  6 20:51 chain1.pem
-rw-r--r-- 1 root root 1704 úno  6 20:51 privkey1.pem

/-------------------------------------
ipsec.conf configuration file
/# ipsec.conf - strongSwan IPsec configuration file//
//config setup//
//    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"//
//
//conn %default//
//    keyexchange=ikev2//
//    ike=<plugins>//
//    esp=<plugins>//
//    dpdaction=restart//
//    dpddelay=10s//
//    dpdtimeout=30s//
//    authby=pubkey//
//    left=%any//
//    leftsubnet=0.0.0.0/0//
//    leftcert=fullchain.pem    <------- my symbolic link//
//    leftsendcert=always//
//    right=%any//
//    rightsourceip=192.168.0.110-192.168.0.115//
//    rightdns=192.168.0.253//
//    leftupdown=/home/services/.vpnkeepalive/pluto.sh//
//
//conn IPSec-eap//
//    keyexchange=ikev2//
//    rightauth=eap-mschapv2//
//    eap_identity=%any//
//    auto=start//
//
//conn IPSec-IKEv2//
//    keyexchange=ikev2//
//    auto=start/

If I launch the ipsec service I get following in the logs:
/
05[CFG] adding virtual IP address pool 192.168.0.110-192.168.0.115//
/*/05[LIB]   opening '/etc/ipsec.d/certs/fullchain.pem' failed: 
Permission denied/*/            <------ /Permission denied opening the 
symbolic link
/05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders//
/*/05[CFG]   loading certificate from 'fullchain.pem' failed/*/
/
My strongSwan version info:

/root at Trinity:/$ ipsec --version//
//Linux strongSwan U5.3.5/K4.8.0-32-generic//
//Institute for Internet Technologies and Applications//
//University of Applied Sciences Rapperswil, Switzerland//
//See 'ipsec --copyright' for copyright information.

/
If I replace the link with the actual file, everything works fine. All 
actions presented were done as root.

Is there a way to use symlinks instead of actual files?

Thanks,
JN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170209/96508ce9/attachment.html>

More information about the Users mailing list