[strongSwan] Can't load certificates and keys via symlink

Jose Novacho jnovacho at yahoo.com
Fri Feb 10 12:17:19 CET 2017

It seems we are talking about two different things.

I have used the LetsEncrypt certificate to authenticate the server 
itself. Peers are using username and password using EAP, that's not an 

The problem is charon is refusing to load the cert file via symbolic 
link, giving me "Permission denied error". That's the problem I'm trying 
to solve right now. Apart from that everything works fine.

On 10.2.2017 11:05, Noel Kuntze wrote:
> Am 10.02.2017 um 00:22 schrieb Jose Novacho:
>> if I replace the symbolic link with the actual file fullchain1.pem everything works as expected.
>> I have also replaced the link, so it points at the  /etc/letsencrypt//archive//trinity.ingames.cz/cert1.pem file. But that didn't help either. I'm still getting permission denied on the cert file.
>> Do you know which of the following LestEncrypt files is the correct one?
>> /root at Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
>> celkem 24
>> drwxr-xr-x 2 root root 4096 úno  6 20:51 .
>> drwx------ 3 root root 4096 úno  6 20:51 ..
>> -rw-r--r-- 1 root root 1805 úno  6 20:51 cert1.pem
>> -rw-r--r-- 1 root root 3452 úno  6 20:51 fullchain1.pem
>> -rw-r--r-- 1 root root 1647 úno  6 20:51 chain1.pem
>> -rw-r--r-- 1 root root 1704 úno  6 20:51 privkey1.pem
>> / I'm not really sure how to use them for VPN otherwise.
> 1. What I mentioned is just an additonal failure that will occur, after charon read the certificate.
> 2. Your peer should have all the CA certificates that lie in the trust path from the root to its certificate.
>     If you make charon just load cert1.pem or fullchain1.pem, then it will only have its own certificate, but no CA certificate.
> 3. You need to split chain1.pem into seperate certificates and put them in ipsec.d/cacerts. The chain will likely not change any time soon.
>     You need to make charon reload the certificate and the CA certificates (togetherwith purging old ones) when they are updated.
>     You could also script something with the letsencrypt client. I use acmetool and did something similiar[1] for my webserver setup.
> 4. Public CAs are not suitable to authenticate VPN peers, because the network that is accessed using the VPN is private,
>     not public. You're entrusting a public entity with controlling access to your private network.
> [1] https://gist.github.com/Thermi/05f2a2903dee6c37bbbb31405ee082d2

More information about the Users mailing list