[strongSwan] Moving StrongSwan server from self signed to Let's Encrypt

[Michael C Cambria]

Hi,

I have a fedora 30 server with Android Galaxy S8 clients working using 
self signed certs on both the server and the StrongSwan android client.  
It's been working for years, but now the server cert is about to 
expire.  I'm trying to migrate to using Let's Encrypt rather than to 
continue to use my own CA.

Is there anything needed on the Android client side to recognize Let's 
Encrypt?  The StrongSwan App lists DST_Root_CA_X3, but I don't see the 
LE cert.  Is it needed?

On the server I simply changed leftcert and leftid from pem files I 
created to those created by LE.  The client (right=) currently still 
uses my self signed CA and certs.  This certs are still in 
/etc/strongswan/ipsec.d

If I'm reading the logs correctly the server logs show both SA's 
established.  The android client logs shows the client app takes down 
the connection:


Aug 26 11:32:56 12[IKE] establishing CHILD_SA android{40}
[deleted]
Aug 26 11:32:56 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH 
CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) 
N(ADD_6_ADDR) ]
Aug 26 11:32:56 15[IKE] received end entity cert "CN=example.org"
Aug 26 11:32:56 15[CFG]   using certificate "CN=example.org"
Aug 26 11:32:56 15[CFG] no issuer certificate found for "CN=example.org"
Aug 26 11:32:56 15[CFG]   issuer is "C=US, O=Let's Encrypt, CN=Let's 
Encrypt Authority X3"
Aug 26 11:32:56 15[IKE] no trusted RSA public key found for 'CN=example.org'
Aug 26 11:32:56 15[ENC] generating INFORMATIONAL request 2 [ 
N(AUTH_FAILED) ]

CN=example.org substituted for real domain name.

I've read that DST_Root_CA_X3 is needed in cacerts in the case of "unix 
to unix", but the Android App seems to already have this.  Is there 
anything else needed?

Thanks,
MikeC


# strongswan version
Linux strongSwan U5.8.2/K5.5.16-100.fc30.x86_64