[strongSwan] Loading certificate fails

Ettrich, Mike, NMU-DSJ Mike.Ettrich at bertelsmann.de
Tue Jun 5 11:49:49 CEST 2018


Hi!
Because the strongswan log doesn't tell a lot about the reasons I have to call for help solving the problem "building CRED_CERTIFICATE - ANY failed, tried 1 builders".
We do use a symlink to the certificate but it seems to be a structural problem.

We have problems to load the certificate (80276883130047021254.cert.pem):

-----BEGIN CERTIFICATE-----
MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx
HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv
bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH
RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx
MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH
DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt
VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w
DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0
FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln
wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM
2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh
n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX
rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB
AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j
BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG
AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl
c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq
ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0
IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg
bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU
AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA
86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB
xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt
UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em
chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5
lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg==
-----END CERTIFICATE-----

PKI - Call:
ipsec pki --print --in 80276883130047021254.cert.pem
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing input failed

OpenSsl - Call:
openssl x509 -in 80276883130047021254.cert.pem -text -noout


            X509v3 Subject Alternative Name:
                othername:<unsupported>
            1.3.36.8.3.3:
Netzkonnektor0...*...L.h0.0..
    Signature Algorithm: sha256WithRSAEncryption
        20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff:
        db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90:
        09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a:
        37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41:
        c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f:
        62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51:
        8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e:
        13:7d:ac:55:99:58:9d:fd:26:ed:29:97:b7:d5:ed:90:ee:de:
        37:eb:32:9e:52:41:47:c2:54:a2:0c:b1:41:f3:0e:ab:07:d9:
        3c:ae:d1:7f:b7:a6:72:12:ac:e1:61:50:b5:c3:ec:3c:6c:d4:
        e1:0d:72:47:31:b7:3f:10:22:0d:55:20:74:28:f6:ce:e3:65:
        d1:ea:51:92:39:84:ed:93:d1:23:fb:a6:b7:2a:2b:26:6c:79:
        95:60:3a:b6:2f:99:c6:d5:19:50:89:8b:6e:d2:99:cb:70:9e:
        36:1a:21:15:43:50:e6:8b:de:43:8d:80:0f:2c:a9:dd:21:e7:
        1a:cb:01:42

If this certificate is used by our Test-Roadwarrior  Charon.log contains:

Jun  5 09:20:56 14[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Jun  5 09:20:56 14[CFG]   loading certificate from 'my.C_NK_VPN.pem' failed

Kind regards,
Mike.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180605/f0abd030/attachment.html>


More information about the Users mailing list