[strongSwan] Can't load certificates and keys via symlink

Noel Kuntze noel at familie-kuntze.de
Fri Feb 10 11:05:30 CET 2017


Am 10.02.2017 um 00:22 schrieb Jose Novacho:
> 
> if I replace the symbolic link with the actual file fullchain1.pem everything works as expected.
> 
> I have also replaced the link, so it points at the  /etc/letsencrypt//archive//trinity.ingames.cz/cert1.pem file. But that didn't help either. I'm still getting permission denied on the cert file.
> 
> Do you know which of the following LestEncrypt files is the correct one?
> 
> /root at Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
> celkem 24
> drwxr-xr-x 2 root root 4096 úno  6 20:51 .
> drwx------ 3 root root 4096 úno  6 20:51 ..
> -rw-r--r-- 1 root root 1805 úno  6 20:51 cert1.pem
> -rw-r--r-- 1 root root 3452 úno  6 20:51 fullchain1.pem
> -rw-r--r-- 1 root root 1647 úno  6 20:51 chain1.pem
> -rw-r--r-- 1 root root 1704 úno  6 20:51 privkey1.pem
> 
> / I'm not really sure how to use them for VPN otherwise.

1. What I mentioned is just an additonal failure that will occur, after charon read the certificate.

2. Your peer should have all the CA certificates that lie in the trust path from the root to its certificate. 
   If you make charon just load cert1.pem or fullchain1.pem, then it will only have its own certificate, but no CA certificate.

3. You need to split chain1.pem into seperate certificates and put them in ipsec.d/cacerts. The chain will likely not change any time soon.
   You need to make charon reload the certificate and the CA certificates (togetherwith purging old ones) when they are updated.
   You could also script something with the letsencrypt client. I use acmetool and did something similiar[1] for my webserver setup.

4. Public CAs are not suitable to authenticate VPN peers, because the network that is accessed using the VPN is private, 
   not public. You're entrusting a public entity with controlling access to your private network.

[1] https://gist.github.com/Thermi/05f2a2903dee6c37bbbb31405ee082d2


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170210/62af3773/attachment.sig>


More information about the Users mailing list