Project

General

Profile

Issue #3202

log shows old certificates are still being sent out

Added by Tom Hsiung about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
configuration
Affected version:
5.6.2
Resolution:

Description

I checked the log file, there are three certificates shown in the log.

charon: 12[IKE] 182.148.70.213 is initiating an IKE_SA
Oct 12 11:57:53 xxx charon: 12[IKE] remote host is behind NAT
Oct 12 11:57:53 xxx charon: 12[IKE] sending cert request for "CN=xxx1 root CA, SN=xxx, C=US, L=xxx, ST=xxx$
Oct 12 11:57:53 xxx charon: 12[IKE] sending cert request for "CN=xxx2 root CA" 
Oct 12 11:57:53 xxx charon: 12[IKE] sending cert request for "C=xx, ST=xx, L=xx, CN=xxx3 root CA, SN=xxx, UID=xxx$

The two old root CA are abandoned, so how to disable them completely so that they won't show up in the log again. Thank you.

History

#1 Updated by Noel Kuntze about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Assignee set to Noel Kuntze

See the documentation (specifically the man page for ipsec or swanctl, depending on what you're using):
From man ipsec (the wiki page for it right now differs from the man page, no idea which of those is actually correct):

       rereadcacerts
              removes previously loaded CA certificates, reads all certificate files contained in the /etc/ipsec.d/cacerts directory  and adds them to the list of Certification Authority (CA) certificates. This does >not affect certificates explicitly defined in a ipsec.conf(5) ca section, which may be separately updated >using the update command.

For swanctl, it's probably -b (--load-authorities).

#2 Updated by Tobias Brunner about 1 month ago

For swanctl, it's probably -b (--load-authorities).

Only if authorities sections are used. Otherwise, use --load-creds to (re-)load certificates in the swanctl/x509ca directory (--clear to clear out old credentials first).

Also available in: Atom PDF