[strongSwan] Moving StrongSwan server from self signed to Let's Encrypt
Michael C Cambria
mcc at fid4.com
Thu Aug 27 15:30:59 CEST 2020
On 8/27/20 7:29 AM, Tobias Brunner wrote:
> Hi Michael,
>
>> Is there anything needed on the Android client side to recognize Let's
>> Encrypt?
> No.
>
>> The StrongSwan App lists DST_Root_CA_X3, but I don't see the
>> LE cert. Is it needed?
> On the server, you need the intermediate CA cert (if you used certbot,
> it's contained in chain.pem so just reference that) and have to make
> sure that it is sent to the clients (in case they don't send certificate
> requests, i.e. configure leftsendcert=always).
Thanks for your reply. I use "ln -s
/etc/letsencrypt/live/example.com/chain le-ca.pem"
I have leftsendcert=always, even in the self signed case. Things are
working now. It turns out I didn't have a "good" DST_Root_CA_X3. I used
what was suggested on a blog. openssl shows it hasn't expired, it looks
right. Based on your response I decided to go to LE itself. When I
grabbed from here: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
(rename to just .pem) things worked.
Is there a way to get the Android app to get LE certs, and keep them up
to date auto-magically by any chance?
>
> Regards,
> Tobias
More information about the Users
mailing list