[Openswan Users] X.509 certificate rejected

goog long cecolong at yahoo.com
Tue Mar 16 10:21:21 EDT 2010


After copying 00.pem and 01.pem from the issuer to the host at /etc/ipsec.d/cacerts, "issuer cacert not found" error is gone. However, the following error from server log is still around:

Mar 16 10:17:47 host-lx pluto[30296]: "roadwarrior"[1] 192.168.50.2 #1: no RSA public key known for '192.168.50.2'

The server does not know the issuer key.

Cecolong

--- On Tue, 3/16/10, goog long <cecolong at yahoo.com> wrote:

From: goog long <cecolong at yahoo.com>
Subject: Re: [Openswan Users] X.509 certificate rejected
To: "Paul Wouters" <paul at xelerance.com>
Cc: users at openswan.org
Date: Tuesday, March 16, 2010, 6:44 AM

Here is a series of commands I used to generate the certificate. After each command, I list all existing files or directory. What missing files are you refering to?

# /usr/lib/ssl/misc/CA.sh -newca
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA

# openssl ca -gencrl -out crl.pem
-rw-r--r-- 1 root root  487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA

# /usr/lib/ssl/misc/CA.sh -newreq
-rw-r--r-- 1 root root  487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
-rw-r--r-- 1 root root  963 2010-03-16 09:38 newkey.pem
-rw-r--r-- 1 root root  737 2010-03-16 09:38 newreq.pem

# /usr/lib/ssl/misc/CA.sh
 -sign
-rw-r--r-- 1 root root  487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:39 demoCA
-rw-r--r-- 1 root root 3244 2010-03-16 09:39 newcert.pem
-rw-r--r-- 1 root root  963 2010-03-16 09:38 newkey.pem
-rw-r--r-- 1 root root  737 2010-03-16 09:38 newreq.pem

# find demoCA -name \*.pem
demoCA/private/cakey.pem
demoCA/careq.pem
demoCA/cacert.pem
demoCA/newcerts/00.pem
demoCA/newcerts/01.pem




--- On Mon, 3/15/10, Paul Wouters <paul at xelerance.com> wrote:

From: Paul Wouters <paul at xelerance.com>
Subject: Re: [Openswan Users] X.509 certificate rejected
To: "goog long"
 <cecolong at yahoo.com>
Cc: users at openswan.org
Date: Monday, March 15, 2010, 10:26 PM

On Mon, 15 Mar 2010, goog long wrote:

> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: issuer cacert not found
> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: X.509 certificate rejected

Looks like the server has no CA installed that signed the host certificate of the road warrior.
(nor an intermediate CA)

> conn roadwarrior-net
> leftsubnet=192.168.50.0/255.255.255.0
> also=roadwarrior
> 
> conn roadwarrior
> # left=%defaultroute
> left=192.168.50.2
> leftcert=clienthost.example.com.pem
> right=192.168.50.1
> rightsubnet=host.example.com.pem

That last line is wrong. subnet should not be a cert.

Paul



      
-----Inline Attachment Follows-----

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100316/a608e7aa/attachment.html 


More information about the Users mailing list