Project

General

Profile

Issue #3596

no issuer certificate found for

Added by bo lee 15 days ago. Updated 9 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.3.5
Resolution:

Description

information
Server (Ubuntu 16.04)
Client (arm_board)

I have the following authentication file.

server
/etc/ipsec.d/cacerts/CACert.pem
/etc/ipsec.d/certs/ServerCert.pem
/etc/ipsec.d/private/ServerKey.pem

client
/etc/ipsec.d/cacerts/CACert.pem
/etc/ipsec.d/certs/ClientCert.pem
/etc/ipsec.d/private/ClientKey.pem

The certificate files in the certs path are all certificate files signed by the root CA.

server(ipsec.conf)

config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no

conn %default

conn femto_ap
left=10.253.4.24
leftid=%any
leftcert=ServerCert.pem
leftsubnet=0.0.0.0/0
right=10.253.4.168
rightid=%any
#rightcert=ClientCert.pem
ikelifetime=86400s
lifetime=28800s
margintime=300s
lifebytes=0
marginbytes=1073741824
keyexchange=ikev2
ike=aes128-aes192-aes256-sha1-prfsha1-modp2048!
esp=aes128-sha1,3des-sha1,aes128-sha1-modp2048,aes256-sha1-modp2048,aes128-sha256-modp2048
fragmentation=no
mobike=no
rekey=yes
leftauth=pubkey
rightauth=pubkey
auto=start
type=tunnel
eap_identity="%identity"

server(ipsec.secrets)
: RSA "ServerKey.pem"

client(ipsec.conf)

config setup
cachecrls=no
strictcrlpolicy=no

conn default
ikelifetime=86400s
lifetime=28800s
margintime=3m
marginbytes=1073741824
rekeyfuzz=0

keyingtries=1
keyexchange=ikev2
ike=aes128-sha1-modp2048,3des-sha1-modp1536
esp=aes128-sha1,3des-sha1,aes128-sha1-modp2048,aes256-sha1-modp2048,aes128-sha256-modp2048
mobike=no
rekey=yes
reauth=yes
dpdaction=clear
dpddelay=5m
dpdtimeout=150s
eap_identity="%identity"
left=10.253.4.168
leftsubnet=0.0.0.0/0
leftsourceip=%config
leftid="%any"
leftcert="ClientCert.pem"
leftsendcert=always
leftauth=pubkey
leftfirewall=no
leftdns=%config4
right=10.253.4.24
rightsubnet=0.0.0.0/0
rightid="%any"
rightsendcert=always
rightauth=pubkey
rightfirewall=no

conn femto_ap
right=10.253.4.24
rightsubnet=0.0.0.0/0
ikelifetime=86400s
lifetime=28800s
margintime=300s
lifebytes=0
marginbytes=1073741824
keyexchange=ikev2
ike=aes128-aes192-aes256-sha1-prfsha1-modp2048!
esp=aes128-aes192-aes256-sha1-modp2048!
dpddelay=60s
fragmentation=no
ikedscp=010000
leftauth=pubkey
rightauth=pubkey
auto=start

client(ipsec.secrets)
: RSA "ClientKey.pem"

The problem is when I type ipsec up femto_ap, I get a message like no issuer certificate found for "C=KR, O=strongSwan, CN=Server_Cert"

LogFile on server side for detailed analysis
Log files on the client side
Attach the authentication file.
Thank you.

CACert.pem (1.81 KB) CACert.pem bo lee, 15.10.2020 10:58
charon(client).log (38.4 KB) charon(client).log bo lee, 15.10.2020 10:58
ClientCert.pem (1.47 KB) ClientCert.pem bo lee, 15.10.2020 10:58
ClientKey.pem (1.64 KB) ClientKey.pem bo lee, 15.10.2020 10:58
ServerCert.pem (1.51 KB) ServerCert.pem bo lee, 15.10.2020 10:58
ServerKey.pem (1.64 KB) ServerKey.pem bo lee, 15.10.2020 10:58
syslog(server) (1.32 MB) syslog(server) bo lee, 15.10.2020 10:58
cert_information.PNG (106 KB) cert_information.PNG bo lee, 16.10.2020 03:29
strongswan_conf.PNG (5.13 KB) strongswan_conf.PNG bo lee, 19.10.2020 02:20

History

#1 Updated by Tobias Brunner 15 days ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Affected version changed from 5.9.0 to 5.3.5

The certificates you attached look OK, but those might not be the ones actually in use on these hosts (e.g. if you issued new certificates multiple times using different keys but the same DNs). Make absolutely sure you have the same CA certificate installed on both hosts (especially on the client) and that the end-entity certificates are issued by those (you can check with pki --verify).

#2 Updated by bo lee 14 days ago

Using trusted certificate "C=KR, O=strongSwan, CN=Root CA" as a result of checking with pki --verify command
certificate trusted, lifetimes valid No problem.

In my opinion, is this a problem because the Signature Algorithm of the cert file is set to sha384 like the attached picture?

#3 Updated by Tobias Brunner 13 days ago

Using trusted certificate "C=KR, O=strongSwan, CN=Root CA" as a result of checking with pki --verify command
certificate trusted, lifetimes valid No problem.

Where did you test this? Are the installed CA certificates on both hosts the same?

In my opinion, is this a problem because the Signature Algorithm of the cert file is set to sha384 like the attached picture?

Why should that make a difference?

#4 Updated by bo lee 11 days ago

Setting the value of signature_authentication to no in the newly attached photo (strongswan.conf) did not cause the problem.
The cause was signature_authentication.

#5 Updated by Tobias Brunner 11 days ago

Setting the value of signature_authentication to no in the newly attached photo (strongswan.conf) did not cause the problem.
The cause was signature_authentication.

What do you mean?

#6 Updated by bo lee 10 days ago

when the signature_authentication = no value was set in strongswan.conf, auth_fail did not occur.

#7 Updated by Tobias Brunner 10 days ago

when the signature_authentication = no value was set in strongswan.conf, auth_fail did not occur.

Interesting. But you are using a very old version and with custom modifications, so...

#8 Updated by bo lee 9 days ago

Inevitably I'm using the old version.
Thank you for helping me with this issue.

Also available in: Atom PDF