[strongSwan] Can't load certificates and keys via symlink
Jose Novacho
jnovacho at yahoo.com
Thu Feb 9 16:55:23 CET 2017
Hi,
I have setup strongSwan VPN on my Ubuntu 16.04 server. I'm using
LetEncrypt certificates, and the ipsec daemon does no want to load the
certificates from symbolic link.
The setup is following:
Contents of relevant directories:
/root at Trinity:/etc/ipsec.d/certs# ls -la//
celkem 8//
//drwxr-xr-x 2 root root 4096 úno 9 16:08 .///
//drwxr-xr-x 12 root root 4096 úno 8 20:36 ..///
//lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem ->
/etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem//
root at Trinity:/etc/letsencrypt/live/trinity.ingames.cz# ls -la
celkem 8
drwxr-xr-x 2 root root 4096 úno 6 20:51 .
drwx------ 3 root root 4096 úno 6 20:51 ..
lrwxrwxrwx 1 root root 42 úno 6 20:51 cert.pem ->
../../archive/trinity.ingames.cz/cert1.pem
lrwxrwxrwx 1 root root 47 úno 6 20:51 fullchain.pem ->
../../archive/trinity.ingames.cz/fullchain1.pem
lrwxrwxrwx 1 root root 43 úno 6 20:51 chain.pem ->
../../archive/trinity.ingames.cz/chain1.pem
lrwxrwxrwx 1 root root 45 úno 6 20:51 privkey.pem ->
../../archive/trinity.ingames.cz/privkey1.pem
root at Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
celkem 24
drwxr-xr-x 2 root root 4096 úno 6 20:51 .
drwx------ 3 root root 4096 úno 6 20:51 ..
-rw-r--r-- 1 root root 1805 úno 6 20:51 cert1.pem
-rw-r--r-- 1 root root 3452 úno 6 20:51 fullchain1.pem
-rw-r--r-- 1 root root 1647 úno 6 20:51 chain1.pem
-rw-r--r-- 1 root root 1704 úno 6 20:51 privkey1.pem
/-------------------------------------
ipsec.conf configuration file
/# ipsec.conf - strongSwan IPsec configuration file//
//config setup//
// charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"//
//
//conn %default//
// keyexchange=ikev2//
// ike=<plugins>//
// esp=<plugins>//
// dpdaction=restart//
// dpddelay=10s//
// dpdtimeout=30s//
// authby=pubkey//
// left=%any//
// leftsubnet=0.0.0.0/0//
// leftcert=fullchain.pem <------- my symbolic link//
// leftsendcert=always//
// right=%any//
// rightsourceip=192.168.0.110-192.168.0.115//
// rightdns=192.168.0.253//
// leftupdown=/home/services/.vpnkeepalive/pluto.sh//
//
//conn IPSec-eap//
// keyexchange=ikev2//
// rightauth=eap-mschapv2//
// eap_identity=%any//
// auto=start//
//
//conn IPSec-IKEv2//
// keyexchange=ikev2//
// auto=start/
If I launch the ipsec service I get following in the logs:
/
05[CFG] adding virtual IP address pool 192.168.0.110-192.168.0.115//
/*/05[LIB] opening '/etc/ipsec.d/certs/fullchain.pem' failed:
Permission denied/*/ <------ /Permission denied opening the
symbolic link
/05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders//
/*/05[CFG] loading certificate from 'fullchain.pem' failed/*/
/
My strongSwan version info:
/root at Trinity:/$ ipsec --version//
//Linux strongSwan U5.3.5/K4.8.0-32-generic//
//Institute for Internet Technologies and Applications//
//University of Applied Sciences Rapperswil, Switzerland//
//See 'ipsec --copyright' for copyright information.
/
If I replace the link with the actual file, everything works fine. All
actions presented were done as root.
Is there a way to use symlinks instead of actual files?
Thanks,
JN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170209/96508ce9/attachment.html>
More information about the Users
mailing list