Unable to Start Responder with X.509 Certificates #2
Replies: 3 comments
-
|
The log also shows this error: Mar 23 13:28:37 vpn02 swanctl[8442]: loading connection 'vpnresponder' failed: invalid value for: certs, config discarded |
Beta Was this translation helpful? Give feedback.
-
|
One other point I forgot to mention, all the certs are in PEM format. |
Beta Was this translation helpful? Give feedback.
-
|
I've made some progress, it turns out I forgot to remove the private key in the responder pem file in the ~/x509 directory because the ~/ecdsa directory already has a copy of the private key file in pem format. -SR |
Beta Was this translation helpful? Give feedback.
-
Hello,
I have setup an environment based on this Usable Configuration scenario https://www.strongswan.org/testing/testresults/ikev2/rw-eap-aka-rsa/.
I have a cert for the root CA and a cert for the Responder stored in /etc/strongswan/swanctl/x509ca and /etc/strongswan/swanctlx509 directories respectively.
When I "systemctl start strongswan", it fails to start the service and I see the following errors in the log:
Mar 23 13:28:37 vpn02 charon-systemd[8423]: OpenSSL X.509 parsing failed
Mar 23 13:28:37 vpn02 charon-systemd[8423]: building CRED_CERTIFICATE - X509 failed, tried 5 builders
Mar 23 13:28:37 vpn02 swanctl[8442]: loading '/etc/strongswan/swanctl/x509/vpn02.pem' failed: parsing X509 certificate failed
Mar 23 13:28:37 vpn02 swanctl[8442]: loading connection 'vpnserver' failed: invalid value for: certs, config discarded
In searching the web, some articles talked about not loading the 'pem' plugin and some articles talk about the cert not having the right values. Log messages show the 'pem' plugin getting loaded. The interesting/confusing part is, the log messages also show that the root CA cert being loaded successfully but it fails to parse and load the Responder cert.
Here's the Responder cert in plain-text, and I'm asking the experts if this cert is missing values that Strongswan expects and why the parsing error occurs?
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = ACME Corporation, OU = ACME Certification Authority, CN = ACME CA
Validity
Not Before: Mar 22 19:34:01 2023 GMT
Not After : Mar 11 19:34:01 2025 GMT
Subject: C = US, ST = Illinois, L = Springfield, O = ACME Corporation, OU = goldfish, CN = vpn02
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
<public_key_value>
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:<key_value>
X509v3 Subject Alternative Name:
DNS:vpn02, DNS:vpn02b, DNS:vpn02mgmt, IP Address:192.168.1.10, IP Ad
dress:10.10.10.15, IP Address:192.168.5.10
Authority Information Access:
OCSP - URI:http://<OCSP_URL>
X509v3 Key Usage: critical
Digital Signature, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: ecdsa-with-SHA384
Thanks in advance!
-SR
Beta Was this translation helpful? Give feedback.
All reactions