[strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble
Philip Veale
email at philipveale.com
Wed Oct 6 20:27:15 CEST 2021
On Wed, 6 Oct 2021 at 17:24, Simon Deziel <simon at sdeziel.info> wrote:
> On 2021-10-06 12:22 p.m., Simon Deziel wrote:
> > On 2021-10-06 12:08 p.m., Philip Veale wrote:
> >> Oct 6 16:43:55 VPN-Server charon: 00[LIB] opening
> >> '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed: Permission
> >> denied
> >>
> >> Debian Stretch didn't have AppArmor but it's been enabled by default in
> >> Debian since Buster. So yeah, the dist-upgrade kinda broke things.
> >>
> >> Thanks to Simon Deziel in this old thread from years ago;
> >> https://lists.strongswan.org/pipermail/users/2017-February/010537.html
> >>
> >>
> >> I've not quite yet figured out how I want to fix it (there are a few
> >> options) but at least I know why it does not work.
> >
> >
> > At first glance, I'd add "#include <abstractions/ssl_keys>" to charon's
> > profile. Would you mind testing this for me (as root):
>
> Oops, here's the corrected version:
>
> cat < EOF >> /etc/apparmor.d/local/usr.lib.ipsec.charon
> #include <abstractions/ssl_keys>
> EOF
> apparmor_parser -rTW /etc/apparmor.d/usr.lib.ipsec.charon
> systemctl restart strongswan-starter
>
I added it using vim instead but Yes, that's worked perfectly, thank you.
System is now fully operational :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211006/2671d903/attachment.html>
More information about the Users
mailing list