Project

General

Profile

Issue #1408

Multiple self-signed root ca problem for iOS and Mac OS X

Added by Pavel Kopchyk over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.4.0
Resolution:
No change required

Description

Hi all,

I use two self-signed CA:
for standard connections (site-to-site)

"O=Example AG, CN=VPN CA" 

for the roadwarrior users
"O=Example AG, CN=Public VPN CA" 

I use this https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) and trying to set up (Authentication with RSA and XAuth - con ios)

When I try to connect (server logs)

...
Apr 14 22:05:23 host charon: 07[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 14 22:05:23 host charon: 07[IKE] remote host is behind NAT
Apr 14 22:05:23 host charon: 07[IKE] sending cert request for "O=Example AG, CN=Public VPN CA" 
Apr 14 22:05:23 host charon: 07[IKE] sending cert request for "O=Example AG, CN=VPN CA" 
Apr 14 22:05:23 host charon: 07[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
...
Apr 14 22:05:25 host charon: 09[ENC] invalid HASH_V1 payload length, decryption failed?
Apr 14 22:05:25 host charon: 09[ENC] could not decrypt payloads
Apr 14 22:05:25 host charon: 09[IKE] message parsing failed
Apr 14 22:05:25 host charon: 09[IKE] ignore malformed INFORMATIONAL request
Apr 14 22:05:25 host charon: 09[IKE] INFORMATIONAL_V1 request with message ID 2043445843 processing failed
...

On the client getting the message "could not validate server certificate" (I have installed both client p12 and CA ("O=Example AG, CN=Public VPN CA") certificate on the iOS device).
After lengthy attempts, I decided to install on the client second CA ("O=Example AG, CN=VPN CA") and then I was able to connect to the server(!).

Question: Why strongSwan sends a request for the CA (...cert request for "O=Example AG, CN=VPN CA") that is not related to the connection (server or client cert), and how to fix it?

History

#1 Updated by Tobias Brunner over 5 years ago

  • Status changed from New to Feedback

Which CA signed the server certificate? If it's "O=Example AG, CN=VPN CA" then you obviously have to install that on the client, otherwise it won't trust the server certificate.

Why strongSwan sends a request for the CA (...cert request for "O=Example AG, CN=VPN CA") that is not related to the connection (server or client cert)

It sends a certificate request for all CAs that are installed unless you set rightca to the subject DN of the CA certificate that signed the client certificates (e.g. rightca="O=Example AG, CN=Public VPN CA"). I wouldn't expect a certificate request for an unknown CA to cause this, though (if it really does send a bug report to Apple).

#2 Updated by Pavel Kopchyk over 5 years ago

Tobias Brunner wrote:

Which CA signed the server certificate? If it's "O=Example AG, CN=VPN CA" then you obviously have to install that on the client, otherwise it won't trust the server certificate.

As I wrote for the roadwarrior users I use "O=Example AG, CN=Public VPN CA"

Why strongSwan sends a request for the CA (...cert request for "O=Example AG, CN=VPN CA") that is not related to the connection (server or client cert)

It sends a certificate request for all CAs that are installed unless you set rightca to the subject DN of the CA certificate that signed the client certificates (e.g. rightca="O=Example AG, CN=Public VPN CA"). I wouldn't expect a certificate request for an unknown CA to cause this, though (if it really does send a bug report to Apple).

I tested several variants:
---
left|rightca="O=Example AG, CN=Public VPN CA"
---
leftca="O=Example AG, CN=Public VPN CA"
rightca=%same
---
only rightca="O=Example AG, CN=Public VPN CA"
---
did not help

Client iOS 9.3.1 (native IPsec VPN via IKEv1)

Apr 15 03:54:29 host charon: 15[NET] received packet: from 198.51.100.3[500] to 203.0.113.4[500]
Apr 15 03:54:29 host charon: 15[NET] waiting for data on sockets
Apr 15 03:54:29 host charon: 13[NET] received packet: from 198.51.100.3[500] to 203.0.113.4[500] (848 bytes)
Apr 15 03:54:29 host charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 15 03:54:29 host charon: 13[CFG] looking for an ike config for 203.0.113.4...198.51.100.3
Apr 15 03:54:29 host charon: 13[CFG]   candidate: 203.0.113.4...%any, prio 1052
Apr 15 03:54:29 host charon: 13[CFG]   candidate: 203.0.113.4...%any, prio 1052
Apr 15 03:54:29 host charon: 13[CFG]   candidate: 203.0.113.4...%any, prio 1052
Apr 15 03:54:29 host charon: 13[CFG]   candidate: 203.0.113.4...%any, prio 1052
Apr 15 03:54:29 host charon: 13[CFG] found matching ike config: 203.0.113.4...%any with prio 1052
Apr 15 03:54:29 host charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received XAuth vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received Cisco Unity vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received FRAGMENTATION vendor ID
Apr 15 03:54:29 host charon: 13[IKE] received DPD vendor ID
Apr 15 03:54:29 host charon: 13[IKE] 198.51.100.3 is initiating a Main Mode IKE_SA
Apr 15 03:54:29 host charon: 13[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 15 03:54:29 host charon: 13[CFG] selecting proposal:
Apr 15 03:54:29 host charon: 13[CFG]   proposal matches
Apr 15 03:54:29 host charon: 13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Apr 15 03:54:29 host charon: 13[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_8192/ECP_224/ECP_192/ECP_224_BP/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_1024/MODP_1024_160/NTRU_112, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_8192/ECP_224/ECP_192/ECP_224_BP/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_1024/MODP_1024_160/NTRU_112
Apr 15 03:54:29 host charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Apr 15 03:54:29 host charon: 13[IKE] sending XAuth vendor ID
Apr 15 03:54:29 host charon: 13[IKE] sending DPD vendor ID
Apr 15 03:54:29 host charon: 13[IKE] sending Cisco Unity vendor ID
Apr 15 03:54:29 host charon: 13[IKE] sending FRAGMENTATION vendor ID
Apr 15 03:54:29 host charon: 13[IKE] sending NAT-T (RFC 3947) vendor ID
Apr 15 03:54:29 host charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V V ]
Apr 15 03:54:29 host charon: 13[NET] sending packet: from 203.0.113.4[500] to 198.51.100.3[500] (180 bytes)
Apr 15 03:54:29 host charon: 04[NET] sending packet: from 203.0.113.4[500] to 198.51.100.3[500]
Apr 15 03:54:29 host charon: 15[NET] received packet: from 198.51.100.3[500] to 203.0.113.4[500]
Apr 15 03:54:29 host charon: 15[NET] waiting for data on sockets
Apr 15 03:54:29 host charon: 16[NET] received packet: from 198.51.100.3[500] to 203.0.113.4[500] (380 bytes)
Apr 15 03:54:29 host charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 15 03:54:30 host charon: 16[IKE] remote host is behind NAT
Apr 15 03:54:30 host charon: 16[IKE] sending cert request for "O=Example AG, CN=Public VPN CA" 
Apr 15 03:54:30 host charon: 16[IKE] sending cert request for "O=Example AG, CN=VPN CA" 
Apr 15 03:54:30 host charon: 16[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
Apr 15 03:54:30 host charon: 16[ENC] splitting IKE message with length of 569 bytes into 2 fragments
Apr 15 03:54:30 host charon: 16[ENC] generating ID_PROT response 0 [ FRAG(1) ]
Apr 15 03:54:30 host charon: 16[ENC] generating ID_PROT response 0 [ FRAG(2/2) ]
Apr 15 03:54:30 host charon: 16[NET] sending packet: from 203.0.113.4[500] to 198.51.100.3[500] (548 bytes)
Apr 15 03:54:30 host charon: 04[NET] sending packet: from 203.0.113.4[500] to 198.51.100.3[500]
Apr 15 03:54:30 host charon: 16[NET] sending packet: from 203.0.113.4[500] to 198.51.100.3[500] (93 bytes)
Apr 15 03:54:30 host charon: 04[NET] sending packet: from 203.0.113.4[500] to 198.51.100.3[500]
Apr 15 03:54:30 host charon: 15[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500]
Apr 15 03:54:30 host charon: 15[NET] waiting for data on sockets
Apr 15 03:54:30 host charon: 15[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500]
Apr 15 03:54:30 host charon: 15[NET] waiting for data on sockets
Apr 15 03:54:30 host charon: 10[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500] (1280 bytes)
Apr 15 03:54:30 host charon: 10[ENC] parsed ID_PROT request 0 [ FRAG(1) ]
Apr 15 03:54:30 host charon: 10[ENC] received fragment #1, waiting for complete IKE message
Apr 15 03:54:30 host charon: 02[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500] (340 bytes)
Apr 15 03:54:30 host charon: 02[ENC] parsed ID_PROT request 0 [ FRAG(2/2) ]
Apr 15 03:54:30 host charon: 02[ENC] received fragment #2, reassembling fragmented IKE message
Apr 15 03:54:30 host charon: 02[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500] (1548 bytes)
Apr 15 03:54:30 host charon: 02[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 15 03:54:30 host charon: 02[IKE] ignoring certificate request without data
Apr 15 03:54:30 host charon: 02[IKE] received end entity cert "O=Example AG, CN=CLIENT_01" 
Apr 15 03:54:30 host charon: 02[CFG] looking for XAuthInitRSA peer configs matching 203.0.113.4...198.51.100.3[O=Example AG, CN=CLIENT_01]
Apr 15 03:54:30 host charon: 02[CFG]   candidate "rw-ios", match: 1/1/1052 (me/other/ike)
Apr 15 03:54:30 host charon: 02[CFG]   candidate "rw-ios-test", match: 1/18/1052 (me/other/ike)
Apr 15 03:54:30 host charon: 02[CFG] selected peer config "rw-ios-test" 
Apr 15 03:54:30 host charon: 02[CFG]   using certificate "O=Example AG, CN=CLIENT_01" 
Apr 15 03:54:30 host charon: 02[CFG]   certificate "O=Example AG, CN=CLIENT_01" key: 2048 bit RSA
Apr 15 03:54:30 host charon: 02[CFG]   using trusted ca certificate "O=Example AG, CN=Public VPN CA" 
Apr 15 03:54:30 host charon: 02[CFG] checking certificate status of "O=Example AG, CN=CLIENT_01" 
Apr 15 03:54:30 host charon: 02[CFG] ocsp check skipped, no ocsp found
Apr 15 03:54:30 host charon: 02[CFG] certificate status is not available
Apr 15 03:54:30 host charon: 02[CFG]   certificate "O=Example AG, CN=Public VPN CA" key: 2048 bit RSA
Apr 15 03:54:30 host charon: 02[CFG]   reached self-signed root ca with a path length of 0
Apr 15 03:54:30 host charon: 02[IKE] authentication of 'O=Example AG, CN=CLIENT_01' with RSA_EMSA_PKCS1_NULL successful
Apr 15 03:54:30 host charon: 02[IKE] authentication of 'host.example.com' (myself) successful
Apr 15 03:54:30 host charon: 02[IKE] queueing XAUTH task
Apr 15 03:54:30 host charon: 02[IKE] sending end entity cert "O=Example AG, CN=host.example.com" 
Apr 15 03:54:30 host charon: 02[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Apr 15 03:54:30 host charon: 02[ENC] splitting IKE message with length of 1404 bytes into 3 fragments
Apr 15 03:54:30 host charon: 02[ENC] generating ID_PROT response 0 [ FRAG(1) ]
Apr 15 03:54:30 host charon: 02[ENC] generating ID_PROT response 0 [ FRAG(2) ]
Apr 15 03:54:30 host charon: 02[ENC] generating ID_PROT response 0 [ FRAG(3/3) ]
Apr 15 03:54:30 host charon: 02[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (544 bytes)
Apr 15 03:54:30 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:30 host charon: 02[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (544 bytes)
Apr 15 03:54:30 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:30 host charon: 02[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (424 bytes)
Apr 15 03:54:30 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:30 host charon: 02[IKE] activating new tasks
Apr 15 03:54:30 host charon: 02[IKE]   activating XAUTH task
Apr 15 03:54:30 host charon: 02[ENC] generating TRANSACTION request 376921436 [ HASH CPRQ(X_USER X_PWD) ]
Apr 15 03:54:30 host charon: 02[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (92 bytes)
Apr 15 03:54:30 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:31 host charon: 15[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500]
Apr 15 03:54:31 host charon: 15[NET] waiting for data on sockets
Apr 15 03:54:31 host charon: 07[NET] received packet: from 198.51.100.3[4500] to 203.0.113.4[4500] (92 bytes)
Apr 15 03:54:31 host charon: 07[ENC] invalid HASH_V1 payload length, decryption failed?
Apr 15 03:54:31 host charon: 07[ENC] could not decrypt payloads
Apr 15 03:54:31 host charon: 07[IKE] message parsing failed
Apr 15 03:54:31 host charon: 07[IKE] ignore malformed INFORMATIONAL request
Apr 15 03:54:31 host charon: 07[IKE] INFORMATIONAL_V1 request with message ID 763862728 processing failed
Apr 15 03:54:34 host charon: 06[IKE] sending retransmit 1 of request message ID 376921436, seq 1
Apr 15 03:54:34 host charon: 06[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (92 bytes)
Apr 15 03:54:34 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:42 host charon: 13[IKE] sending retransmit 2 of request message ID 376921436, seq 1
Apr 15 03:54:42 host charon: 13[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (92 bytes)
Apr 15 03:54:42 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:55 host charon: 10[IKE] sending retransmit 3 of request message ID 376921436, seq 1
Apr 15 03:54:55 host charon: 10[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500] (92 bytes)
Apr 15 03:54:55 host charon: 04[NET] sending packet: from 203.0.113.4[4500] to 198.51.100.3[4500]
Apr 15 03:54:59 host charon: 14[JOB] deleting half open IKE_SA after timeout
Apr 15 03:54:59 host charon: 14[IKE] IKE_SA rw-ios-test[2] state change: CONNECTING => DESTROYING

#3 Updated by Tobias Brunner over 5 years ago

Which CA signed the server certificate? If it's "O=Example AG, CN=VPN CA" then you obviously have to install that on the client, otherwise it won't trust the server certificate.

As I wrote for the roadwarrior users I use "O=Example AG, CN=Public VPN CA"

For the users, yes. But what about the server certificate (i.e. the one for host.example.com)?

#4 Updated by Pavel Kopchyk over 5 years ago

I apologize for the confusion.
I mean that I use "O=Example AG, CN=Public VPN CA" to sign the roadwarrior users certificates and server certificate (host.example.com).

#5 Updated by Tobias Brunner over 5 years ago

I mean that I use "O=Example AG, CN=Public VPN CA" to sign the roadwarrior users certificates and server certificate (host.example.com).

Can you please post your certificates so we can confirm that?

#6 Updated by Pavel Kopchyk over 5 years ago

Please close this issue. Apparently there is some strange misconfiguration.
I was unable to reproduce the error on the test system.

Thank you Tobias!

#7 Updated by Tobias Brunner over 5 years ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

You're welcome.

Also available in: Atom PDF