[Openswan Users] X.509 certificate rejected
goog long
cecolong at yahoo.com
Tue Mar 16 10:21:21 EDT 2010
After copying 00.pem and 01.pem from the issuer to the host at /etc/ipsec.d/cacerts, "issuer cacert not found" error is gone. However, the following error from server log is still around:
Mar 16 10:17:47 host-lx pluto[30296]: "roadwarrior"[1] 192.168.50.2 #1: no RSA public key known for '192.168.50.2'
The server does not know the issuer key.
Cecolong
--- On Tue, 3/16/10, goog long <cecolong at yahoo.com> wrote:
From: goog long <cecolong at yahoo.com>
Subject: Re: [Openswan Users] X.509 certificate rejected
To: "Paul Wouters" <paul at xelerance.com>
Cc: users at openswan.org
Date: Tuesday, March 16, 2010, 6:44 AM
Here is a series of commands I used to generate the certificate. After each command, I list all existing files or directory. What missing files are you refering to?
# /usr/lib/ssl/misc/CA.sh -newca
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
# openssl ca -gencrl -out crl.pem
-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
# /usr/lib/ssl/misc/CA.sh -newreq
-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
-rw-r--r-- 1 root root 963 2010-03-16 09:38 newkey.pem
-rw-r--r-- 1 root root 737 2010-03-16 09:38 newreq.pem
# /usr/lib/ssl/misc/CA.sh
-sign
-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:39 demoCA
-rw-r--r-- 1 root root 3244 2010-03-16 09:39 newcert.pem
-rw-r--r-- 1 root root 963 2010-03-16 09:38 newkey.pem
-rw-r--r-- 1 root root 737 2010-03-16 09:38 newreq.pem
# find demoCA -name \*.pem
demoCA/private/cakey.pem
demoCA/careq.pem
demoCA/cacert.pem
demoCA/newcerts/00.pem
demoCA/newcerts/01.pem
--- On Mon, 3/15/10, Paul Wouters <paul at xelerance.com> wrote:
From: Paul Wouters <paul at xelerance.com>
Subject: Re: [Openswan Users] X.509 certificate rejected
To: "goog long"
<cecolong at yahoo.com>
Cc: users at openswan.org
Date: Monday, March 15, 2010, 10:26 PM
On Mon, 15 Mar 2010, goog long wrote:
> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: issuer cacert not found
> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: X.509 certificate rejected
Looks like the server has no CA installed that signed the host certificate of the road warrior.
(nor an intermediate CA)
> conn roadwarrior-net
> leftsubnet=192.168.50.0/255.255.255.0
> also=roadwarrior
>
> conn roadwarrior
> # left=%defaultroute
> left=192.168.50.2
> leftcert=clienthost.example.com.pem
> right=192.168.50.1
> rightsubnet=host.example.com.pem
That last line is wrong. subnet should not be a cert.
Paul
-----Inline Attachment Follows-----
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100316/a608e7aa/attachment.html
More information about the Users
mailing list