[strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble

Simon Deziel simon at sdeziel.info
Wed Oct 6 18:22:10 CEST 2021 

On 2021-10-06 12:08 p.m., Philip Veale wrote:
> I hadn't tried that, but tried, didn't change anything. I noticed things
> specifically related to StrongSWAN aren't working since the update to
> Bullseye and swanctl is not a recognised command. StrongSWAN is installed
> via apt, version 5.9.1-1
> 
> swanctl doesn't exist as a command and there is no service called
> strongswan anymore. I'm not sure how weird that is.

swanctl lives in a different package. The strongswan unit got renamed to 
strongswan-starter.

> Just been trawling more logs and spotted something else which should be a
> massive clue;
> 
> Oct  6 16:43:55 VPN-Server charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Oct  6 16:43:55 VPN-Server charon: 00[LIB]   opening
> '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed: Permission
> denied
> Oct  6 16:43:55 VPN-Server charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
> failed, tried 11 builders
> Oct  6 16:43:55 VPN-Server charon: 00[CFG]   loading private key from
> '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed
> 
> 
> So yeah it looks like it's a simple permissions issue, I'm guessing the
> dist upgrade has changed the user the service runs as and that uid doesn't
> have read access to the privkey. I should have thought of that. For some
> reason I thought it just ran as root.
> 
> Oh..so no, it does run as root, but It's AppArmor, interfering with Charon
> apparently - the PEM files are created by certbot with symlinks (from
> 'live' to 'archive') as it rotates through and creates new ones, keeping
> the old, the newest versions are always symlinked.
> 
> Debian Stretch didn't have AppArmor but it's been enabled by default in
> Debian since Buster. So yeah, the dist-upgrade kinda broke things.
> 
> Thanks to Simon Deziel in this old thread from years ago;
> https://lists.strongswan.org/pipermail/users/2017-February/010537.html
> 
> 
> I've not quite yet figured out how I want to fix it (there are a few
> options) but at least I know why it does not work.


At first glance, I'd add "#include <abstractions/ssl_keys>" to charon's 
profile. Would you mind testing this for me (as root):

cat < EOF >> /etc/apparmor.d/local/usr.lib.ipsec.charon
echo "#include <abstractions/ssl_keys>"
EOF
apparmor_parser -rTW /etc/apparmor.d/usr.lib.ipsec.charon
systemctl restart strongswan-starter


And report back, please?

Simon

More information about the Users mailing list