[Openswan Users] no RSA public key known for 'C=..., O=..., CN=...'

Graham Leggett minfrin at sharp.fm
Mon Jun 28 14:19:00 CEST 2004


Tuomo Soini wrote:

> Exactly what it does say. It can't match any connection entry with your
> RSA public key because you had wrong id string.

This is the part I don't understand. I've already tried to specify the 
id string as the DN of the certificate using rightid on both sides, 
which I cut and pasted from the freeswan log files.

If the id string is wrong, I have no idea what it should be apart from 
the DN of the certificate, cut and pasted from the DN reported in the 
freeswan logs of what arrived in the cert. What else could rightid be 
set to?

Unfortunately there is no error message that says "You have specified a 
DN of XXX, but the DN that arrived was YYY". Is there a way of getting 
freeswan to log it's attempts to match connections (as in "Trying to 
match against XXX, but it doesn't match for reason YYY") without spewing 
MBs of information? There seems to be debug levels of "none" or "all", 
but nothing in between (according to the docs in the default config file).

> | So in other words, it should have this:
> |
> | rightid="C=ZA..."
> | rightca=%same
> 
> rightca=%same
> 
> or
> 
> leftca=%same
> 
> specify that certificate on other end need to be signed by same CA.
> 
> If remot end has certificate signed by different CA you can give
> rightca="C=ZA,.." and have that certificate in your certificate storage
> of course. But this way you can limit that remote end need to have
> certificate signed by this exact CA.

The trouble is _not_ specifying rightid does not work, because the one 
end is a roadwarrior, so freeswan complains about the IP address not 
matching the certificate. To fix this, the DN of the certificate is 
included inside rightid. The value of DN is cut and pasted from the 
freeswan logfiles of the cert presented by the other side.

This then causes the error message that no RSA public key can be found, 
with no clues on why it could not be found :(

Any further clues?

Regards,
Graham
--


More information about the Users mailing list