Has anyone already figured out how to, or know whether it's possible
to, get iked working with letsencrypt certs? (Or indeed any CA with
chain certs?)
Use case: "standard" clients (Windows/iOS/StrongSwan), EAP auth,
not particularly technical users so trying to avoid the need for them
to manually install certs.
Most of it should be straightforward (at least for FQDN), the server
cert has SAN, I think the main issue seems to be due to the chain cert.
If I place only the "CN=Let's Encrypt Authority X3" in iked/ca/ca.crt
iked doesn't startup properly ("unable to get issuer certificate" for my
own cert and "unable to get local issuer certificate" for the LE CA).
If I place only the "DST Root CA X3" in ca.crt I get "did not find
subjectAltName" and "no valid local certificate found".
If I place both ca and chain certs in ca.crt it looks like it starts
up ok:
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /O=Digital Signature Trust Co./CN=DST Root CA X3
ca_reload: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
ca_reload: loaded 2 ca certificates
ca_reload: loaded cert file blahblahblah.com.crt
but then actually connecting fails (at least from strongswan, I need to
dig out the other test devices again..).
