Issue #3596
no issuer certificate found for
Description
information
Server (Ubuntu 16.04)
Client (arm_board)
I have the following authentication file.
server
/etc/ipsec.d/cacerts/CACert.pem
/etc/ipsec.d/certs/ServerCert.pem
/etc/ipsec.d/private/ServerKey.pem
client
/etc/ipsec.d/cacerts/CACert.pem
/etc/ipsec.d/certs/ClientCert.pem
/etc/ipsec.d/private/ClientKey.pem
The certificate files in the certs path are all certificate files signed by the root CA.
server(ipsec.conf)
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn femto_ap
left=10.253.4.24
leftid=%any
leftcert=ServerCert.pem
leftsubnet=0.0.0.0/0
right=10.253.4.168
rightid=%any
#rightcert=ClientCert.pem
ikelifetime=86400s
lifetime=28800s
margintime=300s
lifebytes=0
marginbytes=1073741824
keyexchange=ikev2
ike=aes128-aes192-aes256-sha1-prfsha1-modp2048!
esp=aes128-sha1,3des-sha1,aes128-sha1-modp2048,aes256-sha1-modp2048,aes128-sha256-modp2048
fragmentation=no
mobike=no
rekey=yes
leftauth=pubkey
rightauth=pubkey
auto=start
type=tunnel
eap_identity="%identity"
server(ipsec.secrets)
: RSA "ServerKey.pem"
client(ipsec.conf)
config setup
cachecrls=no
strictcrlpolicy=no
conn default
ikelifetime=86400s
lifetime=28800s
margintime=3m
marginbytes=1073741824
rekeyfuzz=0
keyingtries=1
keyexchange=ikev2
ike=aes128-sha1-modp2048,3des-sha1-modp1536
esp=aes128-sha1,3des-sha1,aes128-sha1-modp2048,aes256-sha1-modp2048,aes128-sha256-modp2048
mobike=no
rekey=yes
reauth=yes
dpdaction=clear
dpddelay=5m
dpdtimeout=150s
eap_identity="%identity"
left=10.253.4.168
leftsubnet=0.0.0.0/0
leftsourceip=%config
leftid="%any"
leftcert="ClientCert.pem"
leftsendcert=always
leftauth=pubkey
leftfirewall=no
leftdns=%config4
right=10.253.4.24
rightsubnet=0.0.0.0/0
rightid="%any"
rightsendcert=always
rightauth=pubkey
rightfirewall=no
conn femto_ap
right=10.253.4.24
rightsubnet=0.0.0.0/0
ikelifetime=86400s
lifetime=28800s
margintime=300s
lifebytes=0
marginbytes=1073741824
keyexchange=ikev2
ike=aes128-aes192-aes256-sha1-prfsha1-modp2048!
esp=aes128-aes192-aes256-sha1-modp2048!
dpddelay=60s
fragmentation=no
ikedscp=010000
leftauth=pubkey
rightauth=pubkey
auto=start
client(ipsec.secrets)
: RSA "ClientKey.pem"
The problem is when I type ipsec up femto_ap, I get a message like no issuer certificate found for "C=KR, O=strongSwan, CN=Server_Cert"
LogFile on server side for detailed analysis
Log files on the client side
Attach the authentication file.
Thank you.
History
#1 Updated by Tobias Brunner over 1 year ago
- Category set to configuration
- Status changed from New to Feedback
- Affected version changed from 5.9.0 to 5.3.5
The certificates you attached look OK, but those might not be the ones actually in use on these hosts (e.g. if you issued new certificates multiple times using different keys but the same DNs). Make absolutely sure you have the same CA certificate installed on both hosts (especially on the client) and that the end-entity certificates are issued by those (you can check with pki --verify).
#2 Updated by bo lee over 1 year ago
- File cert_information.PNG cert_information.PNG added
Using trusted certificate "C=KR, O=strongSwan, CN=Root CA" as a result of checking with pki --verify command
certificate trusted, lifetimes valid No problem.
In my opinion, is this a problem because the Signature Algorithm of the cert file is set to sha384 like the attached picture?
#3 Updated by Tobias Brunner over 1 year ago
Using trusted certificate "C=KR, O=strongSwan, CN=Root CA" as a result of checking with pki --verify command
certificate trusted, lifetimes valid No problem.
Where did you test this? Are the installed CA certificates on both hosts the same?
In my opinion, is this a problem because the Signature Algorithm of the cert file is set to sha384 like the attached picture?
Why should that make a difference?
#4 Updated by bo lee over 1 year ago
- File strongswan_conf.PNG strongswan_conf.PNG added
Setting the value of signature_authentication to no in the newly attached photo (strongswan.conf) did not cause the problem.
The cause was signature_authentication.
#5 Updated by Tobias Brunner over 1 year ago
Setting the value of signature_authentication to no in the newly attached photo (strongswan.conf) did not cause the problem.
The cause was signature_authentication.
What do you mean?
#6 Updated by bo lee over 1 year ago
when the signature_authentication = no value was set in strongswan.conf, auth_fail did not occur.
#7 Updated by Tobias Brunner over 1 year ago
when the signature_authentication = no value was set in strongswan.conf, auth_fail did not occur.
Interesting. But you are using a very old version and with custom modifications, so...
#8 Updated by bo lee over 1 year ago
Inevitably I'm using the old version.
Thank you for helping me with this issue.