[strongSwan] Moving StrongSwan server from self signed to Let's Encrypt

Michael C Cambria mcc at fid4.com
Thu Aug 27 15:30:59 CEST 2020



On 8/27/20 7:29 AM, Tobias Brunner wrote:
> Hi Michael,
>
>> Is there anything needed on the Android client side to recognize Let's
>> Encrypt?
> No.
>
>> The StrongSwan App lists DST_Root_CA_X3, but I don't see the
>> LE cert.  Is it needed?
> On the server, you need the intermediate CA cert (if you used certbot,
> it's contained in chain.pem so just reference that) and have to make
> sure that it is sent to the clients (in case they don't send certificate
> requests, i.e. configure leftsendcert=always).

Thanks for your reply.  I use "ln -s 
/etc/letsencrypt/live/example.com/chain le-ca.pem"

I have leftsendcert=always, even in the self signed case. Things are 
working now.  It turns out I didn't have a "good" DST_Root_CA_X3. I used 
what was suggested on a blog.  openssl shows it hasn't expired, it looks 
right.  Based on your response I decided to go to LE itself.  When I 
grabbed from here: https://letsencrypt.org/certs/trustid-x3-root.pem.txt 
(rename to just .pem) things worked.

Is there a way to get the Android app to get LE certs, and keep them up 
to date auto-magically by any chance?

>
> Regards,
> Tobias



More information about the Users mailing list