On Tue, Feb 07, 2017 at 01:30:13PM -0500, Christopher Sean Hilton wrote: > On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote: > > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD > > 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. > > > > Some more information on this and possibly a real question: > > Here's the logs from the OpenBSD 5.8 machine: > > 130142.003702 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ > 130142.004443 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/Readme.md > 130142.004825 Default x509_read_from_dir: PEM_read_X509 failed for > /etc/isakmpd/ca/Readme.md > 130142.004921 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/ca.crt > 130142.006237 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/root.crt > 130142.007072 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/sign.crt > 130142.008005 Cryp 50 x509_read_from_dir: X509_STORE_add_cert failed for > /etc/isakmpd/ca/sign.crt > 130142.008133 Cryp 40 x509_read_from_dir: reading certs from > /etc/isakmpd/certs/ >
Looks like the ../ca/ca.crt and ../ca/sign.crt had the same cert. isakmpd was rejecting both from it's internal CA as a duplicate so there was no issuer for my peer certs. Removing the duplicate solved the problem. Thanks if you looked or even if you didn't -- Chris
