Issue #3596: no issuer certificate found for - strongSwan

Issue #3596

no issuer certificate found for

Added by bo lee about 1 year ago. Updated 12 months ago.

Status:

Feedback

Priority:

Normal

Assignee:

Category:

configuration

Affected version:

5.3.5

Resolution:

Description

~~information~~
Server (Ubuntu 16.04)
Client (arm_board)

I have the following authentication file.

~~server~~
/etc/ipsec.d/cacerts/CACert.pem
/etc/ipsec.d/certs/ServerCert.pem
/etc/ipsec.d/private/ServerKey.pem

~~client~~
/etc/ipsec.d/cacerts/CACert.pem
/etc/ipsec.d/certs/ClientCert.pem
/etc/ipsec.d/private/ClientKey.pem

The certificate files in the certs path are all certificate files signed by the root CA.

~~server(ipsec.conf)~~

config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no

conn %default

conn femto_ap
left=10.253.4.24
leftid=%any
leftcert=ServerCert.pem
leftsubnet=0.0.0.0/0
right=10.253.4.168
rightid=%any
#rightcert=ClientCert.pem
ikelifetime=86400s
lifetime=28800s
margintime=300s
lifebytes=0
marginbytes=1073741824
keyexchange=ikev2
ike=aes128-aes192-aes256-sha1-prfsha1-modp2048!
esp=aes128-sha1,3des-sha1,aes128-sha1-modp2048,aes256-sha1-modp2048,aes128-sha256-modp2048
fragmentation=no
mobike=no
rekey=yes
leftauth=pubkey
rightauth=pubkey
auto=start
type=tunnel
eap_identity="%identity"

~~server(ipsec.secrets)~~
: RSA "ServerKey.pem"

~~client(ipsec.conf)~~

config setup
cachecrls=no
strictcrlpolicy=no

conn default
ikelifetime=86400s
lifetime=28800s
margintime=3m
marginbytes=1073741824
rekeyfuzz=0
keyingtries=1
keyexchange=ikev2
ike=aes128-sha1-modp2048,3des-sha1-modp1536
esp=aes128-sha1,3des-sha1,aes128-sha1-modp2048,aes256-sha1-modp2048,aes128-sha256-modp2048
mobike=no
rekey=yes
reauth=yes
dpdaction=clear
dpddelay=5m
dpdtimeout=150s
eap_identity="%identity"
left=10.253.4.168
leftsubnet=0.0.0.0/0
leftsourceip=%config
leftid="%any"
leftcert="ClientCert.pem"
leftsendcert=always
leftauth=pubkey
leftfirewall=no
leftdns=%config4
right=10.253.4.24
rightsubnet=0.0.0.0/0
rightid="%any"
rightsendcert=always
rightauth=pubkey
rightfirewall=no

conn femto_ap
right=10.253.4.24
rightsubnet=0.0.0.0/0
ikelifetime=86400s
lifetime=28800s
margintime=300s
lifebytes=0
marginbytes=1073741824
keyexchange=ikev2
ike=aes128-aes192-aes256-sha1-prfsha1-modp2048!
esp=aes128-aes192-aes256-sha1-modp2048!
dpddelay=60s
fragmentation=no
ikedscp=010000
leftauth=pubkey
rightauth=pubkey
auto=start

~~client(ipsec.secrets)~~
: RSA "ClientKey.pem"

The problem is when I type ipsec up femto_ap, I get a message like no issuer certificate found for "C=KR, O=strongSwan, CN=Server_Cert"

LogFile on server side for detailed analysis
Log files on the client side
Attach the authentication file.
Thank you.

CACert.pem (1.81 KB) CACert.pem		bo lee, 15.10.2020 10:58
charon(client).log (38.4 KB) charon(client).log		bo lee, 15.10.2020 10:58
ClientCert.pem (1.47 KB) ClientCert.pem		bo lee, 15.10.2020 10:58
ClientKey.pem (1.64 KB) ClientKey.pem		bo lee, 15.10.2020 10:58
ServerCert.pem (1.51 KB) ServerCert.pem		bo lee, 15.10.2020 10:58
ServerKey.pem (1.64 KB) ServerKey.pem		bo lee, 15.10.2020 10:58
syslog(server) (1.32 MB) syslog(server)		bo lee, 15.10.2020 10:58
cert_information.PNG (106 KB) cert_information.PNG		bo lee, 16.10.2020 03:29
strongswan_conf.PNG (5.13 KB) strongswan_conf.PNG		bo lee, 19.10.2020 02:20

History

#1 Updated by Tobias Brunner about 1 year ago

Category set to configuration
Status changed from New to Feedback
Affected version changed from 5.9.0 to 5.3.5

The certificates you attached look OK, but those might not be the ones actually in use on these hosts (e.g. if you issued new certificates multiple times using different keys but the same DNs). Make absolutely sure you have the same CA certificate installed on both hosts (especially on the client) and that the end-entity certificates are issued by those (you can check with pki --verify).

#2 Updated by bo lee about 1 year ago

File cert_information.PNG cert_information.PNG added

Using trusted certificate "C=KR, O=strongSwan, CN=Root CA" as a result of checking with pki --verify command
certificate trusted, lifetimes valid No problem.

In my opinion, is this a problem because the Signature Algorithm of the cert file is set to sha384 like the attached picture?

#3 Updated by Tobias Brunner about 1 year ago

Using trusted certificate "C=KR, O=strongSwan, CN=Root CA" as a result of checking with pki --verify command
certificate trusted, lifetimes valid No problem.

Where did you test this? Are the installed CA certificates on both hosts the same?

In my opinion, is this a problem because the Signature Algorithm of the cert file is set to sha384 like the attached picture?

Why should that make a difference?

#4 Updated by bo lee about 1 year ago

File strongswan_conf.PNG strongswan_conf.PNG added

Setting the value of signature_authentication to no in the newly attached photo (strongswan.conf) did not cause the problem.
The cause was signature_authentication.

#5 Updated by Tobias Brunner 12 months ago

Setting the value of signature_authentication to no in the newly attached photo (strongswan.conf) did not cause the problem.
The cause was signature_authentication.

What do you mean?

#6 Updated by bo lee 12 months ago

when the signature_authentication = no value was set in strongswan.conf, auth_fail did not occur.

#7 Updated by Tobias Brunner 12 months ago

when the signature_authentication = no value was set in strongswan.conf, auth_fail did not occur.

Interesting. But you are using a very old version and with custom modifications, so...

#8 Updated by bo lee 12 months ago

Inevitably I'm using the old version.
Thank you for helping me with this issue.

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues