On 2015-08-18, Reyk Floeter <r...@openbsd.org> wrote: > On Tue, Aug 18, 2015 at 02:26:29PM +0000, Jona Joachim wrote: >> Hi, >> I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between >> two OpenBSD boxes running a recent amd64 snapshot. The client is behing >> a NAT. >> The setup works with a PSK but I cannot make it work with RSA >> certificates. No matter what I tried, the client seems to fail >> connecting with: >> ca_getreq: no valid local certificate found >> >> I turn to the mailing list to see if anybody can point me into the right >> direction. >> >> I loosely followed the following guide: >> http://puffysecurity.com/wiki/openikedoffshore.html >> I will try to shorten the command output to make it more readable. >> >> There is an OpenSSL error during the creation of the CA concerning a >> missing element in openssl.cnf. I did not modify openssl.cnf. >> >> On the server side I did the following: >> >> # ikectl ca ikeca create >> [...] >> Signature ok >> subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc >> Getting Private key >> Using configuration from /etc/ssl/openssl.cnf >> variable lookup failed for ca::default_ca >> 7504668282756:error:0E06D06C:configuration file >> routines:NCONF_get_string:no >> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca >> name=default_ca >> > > It seems that the changes in LibreSSL (or newer OpenSSL before the > fork) broke some things in ikectl. > > Specifically, the possibility to overwrite variables like CERTIP or > CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be > broken; or not longer supported because of security concerns. > > Your log file gives a hint that the default "CERTFQDN = nohost.nodomain" > value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead > of the CERTFQDN overwrite from the environment (as set by ikectl): > >> ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc >> ca_x509_subjectaltname: FQDN/nohost.nodomain >> ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched >> ca_getreq: no valid local certificate found > > If libressl no longer supports $ENV in the .cnf files, we have to find > another way, eg. by generating and using a .cnf file for each > certificate. > > As a workaround, you could try to edit CERTFQDN/CERTIP in > x509v3.cnf/ikeca.cnf manually before generating the certificate.
Manually editing x509v3.cnf permitted to create valid certificates and solved the problem. Strange that I am the first one to run into this problem. Thank you very much for the quick support!
