[strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble

Simon Deziel simon at sdeziel.info
Wed Oct 6 18:24:24 CEST 2021 

On 2021-10-06 12:22 p.m., Simon Deziel wrote:
> On 2021-10-06 12:08 p.m., Philip Veale wrote:
>> I hadn't tried that, but tried, didn't change anything. I noticed things
>> specifically related to StrongSWAN aren't working since the update to
>> Bullseye and swanctl is not a recognised command. StrongSWAN is installed
>> via apt, version 5.9.1-1
>>
>> swanctl doesn't exist as a command and there is no service called
>> strongswan anymore. I'm not sure how weird that is.
> 
> swanctl lives in a different package. The strongswan unit got renamed to 
> strongswan-starter.
> 
>> Just been trawling more logs and spotted something else which should be a
>> massive clue;
>>
>> Oct  6 16:43:55 VPN-Server charon: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Oct  6 16:43:55 VPN-Server charon: 00[LIB]   opening
>> '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed: Permission
>> denied
>> Oct  6 16:43:55 VPN-Server charon: 00[LIB] building CRED_PRIVATE_KEY - 
>> RSA
>> failed, tried 11 builders
>> Oct  6 16:43:55 VPN-Server charon: 00[CFG]   loading private key from
>> '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed
>>
>>
>> So yeah it looks like it's a simple permissions issue, I'm guessing the
>> dist upgrade has changed the user the service runs as and that uid 
>> doesn't
>> have read access to the privkey. I should have thought of that. For some
>> reason I thought it just ran as root.
>>
>> Oh..so no, it does run as root, but It's AppArmor, interfering with 
>> Charon
>> apparently - the PEM files are created by certbot with symlinks (from
>> 'live' to 'archive') as it rotates through and creates new ones, keeping
>> the old, the newest versions are always symlinked.
>>
>> Debian Stretch didn't have AppArmor but it's been enabled by default in
>> Debian since Buster. So yeah, the dist-upgrade kinda broke things.
>>
>> Thanks to Simon Deziel in this old thread from years ago;
>> https://lists.strongswan.org/pipermail/users/2017-February/010537.html
>>
>>
>> I've not quite yet figured out how I want to fix it (there are a few
>> options) but at least I know why it does not work.
> 
> 
> At first glance, I'd add "#include <abstractions/ssl_keys>" to charon's 
> profile. Would you mind testing this for me (as root):

Oops, here's the corrected version:

cat < EOF >> /etc/apparmor.d/local/usr.lib.ipsec.charon
#include <abstractions/ssl_keys>
EOF
apparmor_parser -rTW /etc/apparmor.d/usr.lib.ipsec.charon
systemctl restart strongswan-starter

Simon

More information about the Users mailing list