[strongSwan] Cannot connect from roadwarrior linux client to server with Letsencrypt cert

Lorenzo Milesi lorenzo.milesi at yetopen.com
Wed Aug 4 04:16:34 CEST 2021

I've setup a roadwarrior server with Strongswan 5.8.2. Windows 10 clients connect successfully, while Linux ones don't.
When I try to bring up the connection I get:

received end entity cert "CN=vpn01.server.it"
  using certificate "CN=vpn01.server.it"
  using trusted intermediate ca certificate "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA"
checking certificate status of "CN=vpn01.server.it"
  requesting ocsp status from 'http://zerossl.ocsp.sectigo.com' ...
nonce in ocsp response doesn't match
ocsp check failed, fallback to crl
certificate status is not available
no issuer certificate found for "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA"
  issuer is "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
no trusted RSA public key found for 'vpn01.server.it'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from[4500] to[4500] (65 bytes)
establishing connection 'vpn-vpn01' failed

In /etc/ipsec.d/cacerts I copied fullchain and ca pem files from the server.
The LE certificate has been issued using acme.sh, ZeroSSL comes from that.

I tried downloading OCSP cert directly from the website but didn't know how to do...

Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl

YetOpen - https://www.yetopen.com/

Via Salerno 18 - 23900 Lecco - ITALY -      | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the Users mailing list