I have an issue using certs as well, though I am not 100% sure whether
it has to do with a CA cert chain (why did you come to this
conclusion?). Do you have a config and a debug trace to share?
---
Igor V. Gubenko
System Engineer
On 2018-02-21 20:14, Stuart Henderson wrote:
> Has anyone already figured out how to, or know whether it's possible
> to, get iked working with letsencrypt certs? (Or indeed any CA with
> chain certs?)
>
> Use case: "standard" clients (Windows/iOS/StrongSwan), EAP auth,
> not particularly technical users so trying to avoid the need for them
> to manually install certs.
>
> Most of it should be straightforward (at least for FQDN), the server
> cert has SAN, I think the main issue seems to be due to the chain cert.
>
> If I place only the "CN=Let's Encrypt Authority X3" in iked/ca/ca.crt
> iked doesn't startup properly ("unable to get issuer certificate" for my
> own cert and "unable to get local issuer certificate" for the LE CA).
>
> If I place only the "DST Root CA X3" in ca.crt I get "did not find
> subjectAltName" and "no valid local certificate found".
>
> If I place both ca and chain certs in ca.crt it looks like it starts
> up ok:
>
> ca_reload: loaded ca file ca.crt
> ca_reload: loaded crl file ca.crl
> ca_reload: /O=Digital Signature Trust Co./CN=DST Root CA X3
> ca_reload: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ca_reload: loaded 2 ca certificates
> ca_reload: loaded cert file blahblahblah.com.crt
>
> but then actually connecting fails (at least from strongswan, I need to
> dig out the other test devices again..).
