[Swan] Question/troubleshooting x509 w/ intermediate & root CA

Bryan Harris bryanlharris at gmail.com
Mon Sep 26 11:22:46 UTC 2016


Hi Paul,

Any idea why the remote endpoint certificate is not able to come over IKE?
Here are the most relevant-looking lines from the logs, but I do not
understand.  Is it possible that since I have specified the CRL that is
needed to be available?  I thought without strictcrlpolicy (which I do not
set) then it would be okay.

But I can't figure out where it's going wrong or why.  I do not ever seem
to get the remote certificate pulled in from either side.

I also notice it says "The Certifying Authority for this certificate is not
permitted to issue a certificate with this name."  Why does it think my CA
is not permitted to issue a certificate for its own name, or for itself?
I'm a little confused on that one, and I wonder if that may be the reason
the thing doesn't work.

Sep 23 13:30:08 right pluto[16936]: | get_issuer_crl : looking for a CRL
issued by CN=Sub CA,O=Example,C=GB
Sep 23 13:30:08 right pluto[16936]: | missing or expired CRL
Sep 23 13:30:08 right pluto[16936]: | crl_strict: 0, ocsp: 0, ocsp_strict: 0
Sep 23 13:30:08 right pluto[16936]: | Certificate CN=Root CA,O=Example,C=GB
failed verification : The Certifying Authority for this certificate is not
permitted to issue a certificate with this name.
Sep 23 13:30:08 right pluto[16936]: |   trusted_ca_nss called with
a=(empty) b=(empty)
Sep 23 13:30:08 right pluto[16936]: "mytunnel" #2: EXPECTATION FAILED at
/builddir/build/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Sep 23 13:30:08 right pluto[16936]: "mytunnel" #2: no suitable connection
for peer 'C=GB, O=Example, CN=left'
Sep 23 13:30:08 right pluto[16936]: "mytunnel" #2: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.122.7:500

V/r,
Bryan

On Mon, Sep 26, 2016 at 12:33 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 23 Sep 2016, Bryan Harris wrote:
>
> Welp, I got to playing around with the old certs that were working, and I
>> somehow broke them.  Then I went back
>> through everything and noticed I had to change the trust bits.
>>
>> So these trust bits work:
>>
>> "CT,,"
>>
>
> Yes, you need the trust bits set properly. Libreswan does that on
> startup using the "ipsec checknss" command (as part of the service
> startup). Older versions did not do this.
>
>
> And I can't recall where I found the documentation for these, but I had
>> read it at some point.  But the NEW certs
>> import properly in the first place, so there is not a need (I thought) to
>> set any trust bits (the new ones look like
>> "CT,," so I left it alone).
>>
>
> The "ipsec import" should also properly set the trust bits.
>
> One other funny thing is that even though the tunnel works using the old
>> certs with the proper trust bits, when I do
>> a "ipsec auto --listall" each server still only shows its own cert in
>> that top list for "List of RSA Public Keys".
>>
>
> The remote endpoint certificate will come in over IKE, so you will only
> see that once you received it from the other end.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160926/0610acc8/attachment-0001.html>


More information about the Swan mailing list