[strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble

Simon Deziel simon at sdeziel.info
Wed Oct 6 20:40:44 CEST 2021


On 2021-10-06 2:27 p.m., Philip Veale wrote:
> On Wed, 6 Oct 2021 at 17:24, Simon Deziel <simon at sdeziel.info> wrote:
> 
>> On 2021-10-06 12:22 p.m., Simon Deziel wrote:
>>> On 2021-10-06 12:08 p.m., Philip Veale wrote:
>>>> Oct  6 16:43:55 VPN-Server charon: 00[LIB]   opening
>>>> '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed: Permission
>>>> denied
>>>>
>>>> Debian Stretch didn't have AppArmor but it's been enabled by default in
>>>> Debian since Buster. So yeah, the dist-upgrade kinda broke things.
>>>>
>>>> Thanks to Simon Deziel in this old thread from years ago;
>>>> https://lists.strongswan.org/pipermail/users/2017-February/010537.html
>>>>
>>>>
>>>> I've not quite yet figured out how I want to fix it (there are a few
>>>> options) but at least I know why it does not work.
>>>
>>>
>>> At first glance, I'd add "#include <abstractions/ssl_keys>" to charon's
>>> profile. Would you mind testing this for me (as root):
>>
>> Oops, here's the corrected version:
>>
>> cat < EOF >> /etc/apparmor.d/local/usr.lib.ipsec.charon
>> #include <abstractions/ssl_keys>
>> EOF
>> apparmor_parser -rTW /etc/apparmor.d/usr.lib.ipsec.charon
>> systemctl restart strongswan-starter
>>
> 
> 
> I added it using vim instead but Yes, that's worked perfectly, thank you.
> System is now fully operational :)

Thanks for testing and reporting back, I'll submit a PR to Debian soon.

Regards,
Simon


More information about the Users mailing list