[Swan] no EE-cert in chain Issue
Tuomo Soini
tis at foobar.fi
Thu Apr 6 14:16:43 EEST 2023
On Thu, 6 Apr 2023 16:00:31 +0530
Gayathri Manoj <gayathri.annur at gmail.com> wrote:
> Hi All,
>
> We have upgraded the libreswan version from 3.20 to 3.25 and getting
> the below errors.
>
> " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert
> in chain!*
> Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate
> rejected for this connection*
> Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload
> bogus or revoked
> Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted
> notification INVALID_ID_INFORMATION to 10.77.32.99:500"
>
> In our cert is having the below extension
>
> *X509v3 Basic Constraints: critical
> *
>
> * CA:TRUE*
>
> Please let us know is it due to our certificate issue. With the same
> certificate it worked for the system where the libreswan version is
> 3.20.
> When we upload the CA signed certificate with web server template then
> no issues.
>
> Please let us know is it due to libreswan limitation or the
> certificate issue.
Self-signed certificates (CA-certificates) should not be used as vpn
certificates. You should use proper server/client certificates
instead.
Older versions of libreswan don't have same level of certificate
verification as later ones.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list