<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><span class="ipsecExample"><span class="ipsecExampleInput">After copying 00.pem and </span></span><span class="ipsecExample"><span class="ipsecExampleInput">01.pem</span></span> from the issuer to the host at /etc/ipsec.d/cacerts, "issuer cacert not found" error is gone. However, the following error from server log is still around:<br><br>Mar 16 10:17:47 host-lx pluto[30296]: "roadwarrior"[1] 192.168.50.2 #1: no RSA public key known for '192.168.50.2'<br><br>The server does not know the issuer key.<br><br>Cecolong<br><br>--- On <b>Tue, 3/16/10, goog long <i><cecolong@yahoo.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: goog long <cecolong@yahoo.com><br>Subject: Re: [Openswan Users] X.509 certificate rejected<br>To: "Paul Wouters" <paul@xelerance.com><br>Cc:
users@openswan.org<br>Date: Tuesday, March 16, 2010, 6:44 AM<br><br><div id="yiv853071515"><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; font-size: inherit; line-height: inherit; font-size-adjust: inherit; font-stretch: inherit; -x-system-font: none;" valign="top">Here is a series of commands I used to generate the certificate. After each command, I list all existing files or directory. What missing files are you refering to?<br><br># /usr/lib/ssl/misc/CA.sh -newca<br>drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA<br><br># <span class="ipsecExample"><span class="ipsecExampleInput">openssl ca -gencrl -out crl.pem<br>-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem<br>drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA<br><br># /usr/lib/ssl/misc/CA.sh -newreq<br>-rw-r--r-- 1 root root 487 2010-03-16 09:35
crl.pem<br>drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA<br>-rw-r--r-- 1 root root 963 2010-03-16 09:38 newkey.pem<br>-rw-r--r-- 1 root root 737 2010-03-16 09:38 newreq.pem<br><br># </span></span><span class="ipsecExample"><span class="ipsecExampleInput">/usr/lib/ssl/misc/CA.sh
-sign<br>-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem<br>drwxr-xr-x 6 root root 4096 2010-03-16 09:39 demoCA<br>-rw-r--r-- 1 root root 3244 2010-03-16 09:39 newcert.pem<br>-rw-r--r-- 1 root root 963 2010-03-16 09:38 newkey.pem<br>-rw-r--r-- 1 root root 737 2010-03-16 09:38 newreq.pem<br><br># find </span></span><span class="ipsecExample"><span class="ipsecExampleInput">demoCA -name \*.pem<br>demoCA/private/cakey.pem<br>demoCA/careq.pem<br>demoCA/cacert.pem<br>demoCA/newcerts/00.pem<br>demoCA/newcerts/01.pem<br><br><br></span></span><span class="ipsecExample"><span class="ipsecExampleInput"><br><br></span></span>--- On <b>Mon, 3/15/10, Paul Wouters <i><paul@xelerance.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Paul Wouters <paul@xelerance.com><br>Subject: Re: [Openswan Users] X.509 certificate rejected<br>To: "goog long"
<cecolong@yahoo.com><br>Cc: users@openswan.org<br>Date: Monday, March 15, 2010, 10:26 PM<br><br><div class="plainMail">On Mon, 15 Mar 2010, goog long wrote:<br><br>> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: issuer cacert not found<br>> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: X.509 certificate rejected<br><br>Looks like the server has no CA installed that signed the host certificate of the road warrior.<br>(nor an intermediate CA)<br><br>> conn roadwarrior-net<br>> leftsubnet=192.168.50.0/255.255.255.0<br>> also=roadwarrior<br>> <br>> conn roadwarrior<br>> # left=%defaultroute<br>> left=192.168.50.2<br>> leftcert=clienthost.example.com.pem<br>> right=192.168.50.1<br>> rightsubnet=host.example.com.pem<br><br>That last line is wrong. subnet should not be a cert.<br><br>Paul<br></div></blockquote></td></tr></tbody></table><br>
</div><br>-----Inline Attachment Follows-----<br><br><div class="plainMail">_______________________________________________<br><a ymailto="mailto:Users@openswan.org" href="/mc/compose?to=Users@openswan.org">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>Building and Integrating Virtual Private Networks with Openswan: <br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></div></blockquote></td></tr></table><br>