[Swan-dev] Libreswan library not taking CRLs from the certificate link.

Paul Wouters paul at nohats.ca
Tue Dec 17 17:40:23 UTC 2019


On Tue, 17 Dec 2019, Utkarsh Kumar wrote:

> Hi Everyone,         I have a application where I am establishing IPSEC connection between two linux machines using libreswan which is happening successfully. 
> 
> I have enabled strict crl check in config with interval of 60 sec.
> 
>         crl-strict=yes
>         crlcheckinterval=1m
> 
> End Certificate:
> 
> Screen Shot 2019-12-17 at 10.23.45 PM.png

Does the CAcert have the CRL distribution point ?

> But the CRL list is not updating automatically. In the logs I am seeing following error. Can anyone please help me with the solution here.
> 
> Error:
> 
> Dec 17 18:46:05: | *time to check crls
> 
> Dec 17 18:46:05: | attempting to add a new CRL fetch request
> 
> Dec 17 18:46:05: | could not find CRL URI ext -8157

That error is SEC_ERROR_EXTENSION_NOT_FOUND.

> Dec 17 18:46:05: | no distribution point available for new fetch request

I think your CA might not have been created with the CRL distribution
point in it?

Paul


More information about the Swan-dev mailing list