Issue #2106
no issuer certificate found
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.5.0
Resolution:
No change required
Description
Hi,
I'm trying to connect but I get following errors on the client side:
no issuer certificate found for "CN=vpn.domain.com"
no trusted RSA public key found for 'vpn.domain.com'
can anyone please help me out ?
Linux strongSwan U5.2.1/K3.16.7-ckt25
my server config:
include /var/lib/strongswan/ipsec.conf.inc
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
leftcert=vpn.domain.com.crt # Filename of certificate located at /etc/ipsec.d/certs/
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
# right - remote (client) side
eap_identity=%identity
rightsourceip=10.1.2.0/24
rightdns=8.8.8.8
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid=vpn.bjx.be
leftauth=pubkey
client config:
onn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn hub
right=vpn.daomin.com
rightid=@vpn.domain.com
leftsourceip=%config
leftauth=eap
eap_identity=username
auto=add
History
#1 Updated by Noel Kuntze about 9 years ago
Without logs, we can only guess.
- missing CA certificates on the client
- Invalid identity configured on the server.
- the server certificate does not authenticate it for use with the identity "CN=vpn.domain.com"
Provide full logs, then we can help further.
#2 Updated by Benjamin Jacobs about 9 years ago
of course, what was I thinking :)
side note: this config allows me to make connections using my IOS devices, now I'm trying to connect a linux client ...
client log: Sep 8 13:51:28 debian charon: 06[CFG] received stroke: initiate 'hub' Sep 8 13:51:28 debian charon: 16[IKE] initiating IKE_SA hub[1] to x.x.x.250 Sep 8 13:51:28 debian charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 8 13:51:28 debian charon: 16[NET] sending packet: from 192.168.77.94[500] to x.x.x.250[500] (1108 bytes) Sep 8 13:51:29 debian charon: 04[NET] received packet: from x.x.x.250[500] to 192.168.77.94[500] (38 bytes) Sep 8 13:51:29 debian charon: 04[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Sep 8 13:51:29 debian charon: 04[IKE] peer didn't accept DH group MODP_2048, it requested MODP_3072 Sep 8 13:51:29 debian charon: 04[IKE] initiating IKE_SA hub[1] to x.x.x.250 Sep 8 13:51:29 debian charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 8 13:51:29 debian charon: 04[NET] sending packet: from 192.168.77.94[500] to x.x.x.250[500] (1236 bytes) Sep 8 13:51:29 debian charon: 02[NET] received packet: from x.x.x.250[500] to 192.168.77.94[500] (568 bytes) Sep 8 13:51:29 debian charon: 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 8 13:51:29 debian charon: 02[IKE] local host is behind NAT, sending keep alives Sep 8 13:51:29 debian charon: 02[CFG] no IDi configured, fall back on IP address Sep 8 13:51:29 debian charon: 02[IKE] establishing CHILD_SA hub Sep 8 13:51:29 debian charon: 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Sep 8 13:51:29 debian charon: 02[NET] sending packet: from 192.168.77.94[4500] to x.x.x.250[4500] (384 bytes) Sep 8 13:51:29 debian charon: 01[NET] received packet: from x.x.x.250[4500] to 192.168.77.94[4500] (1648 bytes) Sep 8 13:51:29 debian charon: 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Sep 8 13:51:29 debian charon: 01[IKE] received end entity cert "CN=vpn.domain.com" Sep 8 13:51:29 debian charon: 01[CFG] using certificate "CN=vpn.domain.com" Sep 8 13:51:29 debian charon: 01[CFG] no issuer certificate found for "CN=vpn.domain.com" Sep 8 13:51:29 debian charon: 01[IKE] no trusted RSA public key found for 'vpn.domain.com' Sep 8 13:51:29 debian charon: 01[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] Sep 8 13:51:29 debian charon: 01[NET] sending packet: from 192.168.77.94[4500] to x.x.x.250[4500] (80 bytes) server log: Sep 8 13:52:24 box charon: 12[NET] received packet: from x.x.x.44[500] to x.x.x.250[500] (1108 bytes) Sep 8 13:52:24 box charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 8 13:52:24 box charon: 12[IKE] x.x.x.44 is initiating an IKE_SA Sep 8 13:52:24 box charon: 12[IKE] remote host is behind NAT Sep 8 13:52:24 box charon: 12[IKE] DH group MODP_2048 inacceptable, requesting MODP_3072 Sep 8 13:52:24 box charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Sep 8 13:52:24 box charon: 12[NET] sending packet: from x.x.x.250[500] to x.x.x.44[500] (38 bytes) Sep 8 13:52:25 box charon: 11[NET] received packet: from x.x.x.44[500] to x.x.x.250[500] (1236 bytes) Sep 8 13:52:25 box charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 8 13:52:25 box charon: 11[IKE] x.x.x.44 is initiating an IKE_SA Sep 8 13:52:25 box charon: 11[IKE] remote host is behind NAT Sep 8 13:52:25 box charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 8 13:52:25 box charon: 11[NET] sending packet: from x.x.x.250[500] to x.x.x.44[500] (568 bytes) Sep 8 13:52:25 box charon: 13[NET] received packet: from x.x.x.44[4500] to x.x.x.250[4500] (384 bytes) Sep 8 13:52:25 box charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Sep 8 13:52:25 box charon: 13[CFG] looking for peer configs matching x.x.x.250[vpn.domain.com]...x.x.x.44[192.168.77.94] Sep 8 13:52:25 box charon: 13[CFG] selected peer config 'ikev2-mschapv2-apple' Sep 8 13:52:25 box charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00) Sep 8 13:52:25 box charon: 13[IKE] peer supports MOBIKE Sep 8 13:52:25 box charon: 13[IKE] authentication of 'vpn.domain.com' (myself) with RSA signature successful Sep 8 13:52:25 box charon: 13[IKE] sending end entity cert "CN=vpn.domain.com" Sep 8 13:52:25 box charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Sep 8 13:52:25 box charon: 13[NET] sending packet: from x.x.x.250[4500] to x.x.x.44[4500] (1648 bytes) Sep 8 13:52:25 box charon: 14[NET] received packet: from x.x.x.44[4500] to x.x.x.250[4500] (80 bytes) Sep 8 13:52:25 box charon: 14[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ] Sep 8 13:52:25 box charon: 14[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ] Sep 8 13:52:25 box charon: 14[NET] sending packet: from x.x.x.250[4500] to x.x.x.44[4500] (80 bytes)
#3 Updated by Noel Kuntze about 9 years ago
Looks like the server does not have the certificate chain from its certificate to the self signed root certificate. The full certificate chain is required for the server to authenticate itself. The client also requires at least the root certificate that the server's chain starts with, as well as the full chain of its own certificate.
#4 Updated by Benjamin Jacobs about 9 years ago
Noel Kuntze wrote:
Looks like the server does not have the certificate chain from its certificate to the self signed root certificate. The full certificate chain is required for the server to authenticate itself. The client also requires at least the root certificate that the server's chain starts with, as well as the full chain of its own certificate.
This is not a self-digned certificate, it is a certbot certificate (Let's Encrypt CA) ... I tried replacing the certificate with the fullchain certificate, but still nog success ...
#5 Updated by Noel Kuntze about 9 years ago
charon only reads the first certificate in a file. You need to put each individual CA certificate into a seperate file into /etc/ipsec.d/cacerts.
#6 Updated by Benjamin Jacobs about 9 years ago
on both client and server, or only server ?
#7 Updated by Benjamin Jacobs about 9 years ago
ok, addedd all cacerts on the server, now I'm getting on the client:
initiating IKE_SA hub[11] to x.x.x.250 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.77.94[500] to x.x.x.250[500] (1108 bytes) received packet: from x.x.x.250[500] to 192.168.77.94[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer didn't accept DH group MODP_2048, it requested MODP_3072 initiating IKE_SA hub[11] to x.x.x.250 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.77.94[500] to x.x.x.250[500] (1236 bytes) received packet: from x.x.x.250[500] to 192.168.77.94[500] (693 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] local host is behind NAT, sending keep alives received 6 cert requests for an unknown ca no IDi configured, fall back on IP address establishing CHILD_SA hub generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.77.94[4500] to x.x.x.250[4500] (384 bytes) received packet: from x.x.x.250[4500] to 192.168.77.94[4500] (2816 bytes) parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] received end entity cert "CN=vpn.domain.com" received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" using certificate "CN=vpn.domain.com" using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" checking certificate status of "CN=vpn.domain.com" requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org/' ... unable to fetch from http://ocsp.int-x3.letsencrypt.org/, no capable fetcher found ocsp request to http://ocsp.int-x3.letsencrypt.org/ failed ocsp check failed, fallback to crl certificate status is not available no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" no trusted RSA public key found for 'vpn.domain.com' generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 192.168.77.94[4500] to x.x.x.250[4500] (80 bytes) establishing connection 'hub' failed
#8 Updated by Benjamin Jacobs about 9 years ago
OK, needed the curl plugin, now I get:
initiating IKE_SA hub[1] to x.x.x.250 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.77.94[500] to x.x.x.250[500] (1420 bytes) received packet: from x.x.x.250[500] to 192.168.77.94[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer didn't accept DH group MODP_2048, it requested MODP_3072 initiating IKE_SA hub[1] to x.x.x.250 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.77.94[500] to x.x.x.250[500] (1548 bytes) received packet: from x.x.x.250[500] to 192.168.77.94[500] (693 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] local host is behind NAT, sending keep alives received 6 cert requests for an unknown ca no IDi configured, fall back on IP address establishing CHILD_SA hub generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.77.94[4500] to x.x.x.250[4500] (384 bytes) received packet: from x.x.x.250[4500] to 192.168.77.94[4500] (2816 bytes) parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] received end entity cert "CN=vpn.domain.com" received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" using certificate "CN=vpn.domain.com" using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" checking certificate status of "CN=vpn.domain.com" requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org/' ... ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" ocsp response is valid: until Sep 14 15:00:00 2016 certificate status is good no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" no trusted RSA public key found for 'vpn.domain.com' generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 192.168.77.94[4500] to x.x.x.250[4500] (80 bytes) establishing connection 'hub' failed
#9 Updated by Noel Kuntze about 9 years ago
You're still lacking a CA certificate:
no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
#10 Updated by Benjamin Jacobs about 9 years ago
hmmm, I put all cacerts in there, and ipsec listcacerts shows:
ipsec listcacerts
List of X.509 CA Certificates
subject: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
issuer: "O=Digital Signature Trust Co., CN=DST Root CA X3"
validity: not before Mar 17 17:40:46 2016, ok
not after Mar 17 17:40:46 2021, ok (expires in 1651 days)
serial: 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
flags: CA CRLSign
CRL URIs: http://crl.identrust.com/DSTROOTCAX3CRL.crl
OCSP URIs: http://isrg.trustid.ocsp.identrust.com
pathlen: 0
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
authkeyId: c4:a7:b1:a4:7b:2c:71:fa:db:e1:4b:90:75:ff:c4:15:60:85:89:10
subjkeyId: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
pubkey: RSA 2048 bits
keyid: da:9b:52:a8:77:11:69:d3:13:18:a5:67:e1:dc:9b:1f:44:b5:b3:5c
subjkey: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
subject: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4"
issuer: "O=Digital Signature Trust Co., CN=DST Root CA X3"
validity: not before Mar 17 17:41:02 2016, ok
not after Mar 17 17:41:02 2021, ok (expires in 1651 days)
serial: 0a:01:41:42:00:00:01:53:85:73:a6:cb:11:e3:1f:8b
flags: CA CRLSign
CRL URIs: http://crl.identrust.com/DSTROOTCAX3CRL.crl
OCSP URIs: http://isrg.trustid.ocsp.identrust.com
pathlen: 0
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
authkeyId: c4:a7:b1:a4:7b:2c:71:fa:db:e1:4b:90:75:ff:c4:15:60:85:89:10
subjkeyId: c5:b1:ab:4e:4c:b1:cd:64:30:93:7e:c1:84:99:05:ab:e6:03:e2:25
pubkey: RSA 2048 bits
keyid: 87:25:82:70:0c:f9:24:3a:80:5e:b3:51:8c:27:54:cd:6e:9f:f0:77
subjkey: c5:b1:ab:4e:4c:b1:cd:64:30:93:7e:c1:84:99:05:ab:e6:03:e2:25
subject: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1"
issuer: "O=Digital Signature Trust Co., CN=DST Root CA X3"
validity: not before Oct 20 00:33:36 2015, ok
not after Oct 20 00:33:36 2020, ok (expires in 1502 days)
serial: 98:13:f4:75:13:e5:75:0b:43:e7:43:1e:97:1e:44:bd
flags: CA CRLSign
CRL URIs: http://crl.identrust.com/DSTROOTCAX3CRL.crl
OCSP URIs: http://isrg.trustid.ocsp.identrust.com
pathlen: 0
excluded nameConstraints:
.mil
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
authkeyId: c4:a7:b1:a4:7b:2c:71:fa:db:e1:4b:90:75:ff:c4:15:60:85:89:10
subjkeyId: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
pubkey: RSA 2048 bits
keyid: da:9b:52:a8:77:11:69:d3:13:18:a5:67:e1:dc:9b:1f:44:b5:b3:5c
subjkey: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
subject: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X2"
issuer: "O=Digital Signature Trust Co., CN=DST Root CA X3"
validity: not before Oct 20 00:35:01 2015, ok
not after Oct 20 00:35:01 2020, ok (expires in 1502 days)
serial: c3:83:4c:98:c0:bd:6b:25:2c:a3:79:b6:6f:a5:2b:0e
flags: CA CRLSign
CRL URIs: http://crl.identrust.com/DSTROOTCAX3CRL.crl
OCSP URIs: http://isrg.trustid.ocsp.identrust.com
pathlen: 0
excluded nameConstraints:
.mil
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
authkeyId: c4:a7:b1:a4:7b:2c:71:fa:db:e1:4b:90:75:ff:c4:15:60:85:89:10
subjkeyId: c5:b1:ab:4e:4c:b1:cd:64:30:93:7e:c1:84:99:05:ab:e6:03:e2:25
pubkey: RSA 2048 bits
keyid: 87:25:82:70:0c:f9:24:3a:80:5e:b3:51:8c:27:54:cd:6e:9f:f0:77
subjkey: c5:b1:ab:4e:4c:b1:cd:64:30:93:7e:c1:84:99:05:ab:e6:03:e2:25
subject: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1"
issuer: "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
validity: not before Jun 04 14:00:20 2015, ok
not after Jun 04 14:00:20 2020, ok (expires in 1364 days)
serial: e7:93:90:be:92:07:03:49:18:5f:79:75:81:e5:ca:83
flags: CA CRLSign
CRL URIs: http://crl.root-x1.letsencrypt.org
OCSP URIs: http://ocsp.root-x1.letsencrypt.org/
pathlen: 0
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
authkeyId: 79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e
subjkeyId: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
pubkey: RSA 2048 bits
keyid: da:9b:52:a8:77:11:69:d3:13:18:a5:67:e1:dc:9b:1f:44:b5:b3:5c
subjkey: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
subject: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X2"
issuer: "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
validity: not before Jun 04 14:00:31 2015, ok
not after Jun 04 14:00:31 2020, ok (expires in 1364 days)
serial: 96:36:4c:a7:38:0b:e4:8b:dc:90:c6:cd:e0:b7:de:68
flags: CA CRLSign
CRL URIs: http://crl.root-x1.letsencrypt.org
OCSP URIs: http://ocsp.root-x1.letsencrypt.org/
pathlen: 0
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
authkeyId: 79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e
subjkeyId: c5:b1:ab:4e:4c:b1:cd:64:30:93:7e:c1:84:99:05:ab:e6:03:e2:25
pubkey: RSA 2048 bits
keyid: 87:25:82:70:0c:f9:24:3a:80:5e:b3:51:8c:27:54:cd:6e:9f:f0:77
subjkey: c5:b1:ab:4e:4c:b1:cd:64:30:93:7e:c1:84:99:05:ab:e6:03:e2:25
#11 Updated by Benjamin Jacobs about 9 years ago
OK, after several hours of trying things, I got it to work. I had to install the root certificate on the client side in cacerts. The intermediate3 gets pushed out automatically, why doesn't the server send out the root certificate ?
#12 Updated by Noel Kuntze about 9 years ago
Because that wouldn't help at all. There's no reason for a host to trust a random self signed certificate.
#13 Updated by Tobias Brunner almost 9 years ago
- Category changed from interoperability to configuration
- Status changed from New to Closed
- Resolution set to No change required