[strongSwan] Fwd: CRL validation failing

Matthew Winnett mswinnett at gmail.com
Thu Jan 11 13:16:53 CET 2018


I am running 5.6.1 and trying to establish a site to site vlan to a F5
bigip using ikev2 and certificates. The tunnel works ok with psk but when
using certificates I get the following in the log:

11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech,
O=f5, OU=es, CN=moriarty_k-server_1.winnett.gb"
11[CFG]   fetching crl from
'file:///usr/local/etc/swanctl/x509crl/ca-cacert.crl'
...
11[CFG] issuer of fetched CRL 'C=gb, ST=anglesey, L=benllech, O=f5, OU=es,
CN=moriarty_k-Root_CA.winnett.gb' does not match CRL issuer
'0e:db:41:37:bb:8c:b8:1c:de:9b:35:31:de:4d:6b:67:5a:02:57:22'

I found a previous thread indicating that the "CRL must contain an
authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
issuer", which I now have ...

$ openssl crl -in ca-cacert.crl -noout -text | grep -E "CRL extensions:" -A
4
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:
57:22
                DirName:/C=gb/ST=anglesey/L=benllech/O=f5/OU=es/CN=moriart
y_k-Root_CA.winnett.gb
                serial:5A:4D:03:09

$ openssl x509 -in ca-cacert.pem -text | grep -E "X509v3 extensions:" -A 6
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22
            X509v3 Authority Key Identifier:
                keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:
57:22

Any idea what is wrong ?

Many thanks ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/1801ac38/attachment.html>


More information about the Users mailing list