Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 03:50:47PM +0200, Sebastien Marie wrote: On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: In this case, LibreSSL was Theo who unintentionally broke ikectl. I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. There are more pending changes for ikectl (eg. from semarie@), but I'd like to fix this first. for new code at least, you should check snprintf() return value for overflow. you could reuse the xsnprintf() code I sent previously if you want :) I usually do one thing at a time. Yes, snprintf() doesn't check for overflow but it is not adding any serious additional risk now - I wanted to fix basic operation of ikectl first. I'm not fond of adding x* functions (like xmalloc) but I agree that the return values should be checked. But they should be checked everywhere - I didn't forget about your diff. So maybe xsnprintf() is OK in ikeca'c specific case. Could you update and resend your ikectl diffs? and some others notes inline. Index: ikeca.c === RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v retrieving revision 1.32 diff -u -p -u -p -r1.32 ikeca.c --- ikeca.c 15 Aug 2015 04:47:28 - 1.32 +++ ikeca.c 19 Aug 2015 08:12:39 - [...] @@ -489,6 +527,46 @@ fcopy(char *src, char *dst, mode_t mode) } int +fcopy_env(const char *src, const char *dst, mode_t mode) +{ returning int isn't useful: all errors are fatal and you always return 0 value (which is also unused by caller). Same here, I saw the useless return values in ikeca.c and just adopted the style. It might sound crazy, but it is actually an invitation to change it everywhere in a separate step (incl. fcopy()). + int ofd = -1, i; + u_int8_t buf[BUFSIZ]; + ssize_t r = -1, len; + FILE*ifp = NULL; + int saved_errno; + + if ((ifp = fopen(src, r)) == NULL) + err(1, fopen %s, src); + + if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1) + goto done; + + while (fgets(buf, sizeof(buf), ifp) != 0) { + for (i = 0; ca_env[i][0] != NULL; i++) { + if (ca_env[i][1] == NULL) + continue; + expand_string(buf, sizeof(buf), + ca_env[i][0], ca_env[i][1]); + } btw., the expand_string() return value is checked in the committed diff. something could go wrong here if fgets() partially read a normally expanded name: for example: file with `$ENV::CADB' inside one read: buf = ...$ENV::C expand don't found `$ENV::CADB' next read buf = ADB... `$ENV::CADB' wouldn't be expanded But how likely or valid is it that fgets() will return an incomplete line from a .cnf file? It must be BUFSIZ or a read from weird I/O (maybe fuse or NFS) but fgets() would return NULL on I/O errors. To be safe, I could a) check for feof() and ferror() and b) test if the returned line includes a newline. Growing a buffer from multiple lines doesn't seem to be necessary. Reyk + len = strlen(buf); + if (write(ofd, buf, len) != len) + goto done; + } + + r = 0; + + done: + saved_errno = errno; + close(ofd); + if (ifp != NULL) + fclose(ifp); + if (r == -1) + errc(1, saved_errno, open %s, dst); + + return (0); +} + -- Sebastien Marie --
Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: In this case, LibreSSL was Theo who unintentionally broke ikectl. I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. There are more pending changes for ikectl (eg. from semarie@), but I'd like to fix this first. for new code at least, you should check snprintf() return value for overflow. you could reuse the xsnprintf() code I sent previously if you want :) and some others notes inline. Index: ikeca.c === RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v retrieving revision 1.32 diff -u -p -u -p -r1.32 ikeca.c --- ikeca.c 15 Aug 2015 04:47:28 - 1.32 +++ ikeca.c 19 Aug 2015 08:12:39 - [...] @@ -489,6 +527,46 @@ fcopy(char *src, char *dst, mode_t mode) } int +fcopy_env(const char *src, const char *dst, mode_t mode) +{ returning int isn't useful: all errors are fatal and you always return 0 value (which is also unused by caller). + int ofd = -1, i; + u_int8_t buf[BUFSIZ]; + ssize_t r = -1, len; + FILE*ifp = NULL; + int saved_errno; + + if ((ifp = fopen(src, r)) == NULL) + err(1, fopen %s, src); + + if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1) + goto done; + + while (fgets(buf, sizeof(buf), ifp) != 0) { + for (i = 0; ca_env[i][0] != NULL; i++) { + if (ca_env[i][1] == NULL) + continue; + expand_string(buf, sizeof(buf), + ca_env[i][0], ca_env[i][1]); + } something could go wrong here if fgets() partially read a normally expanded name: for example: file with `$ENV::CADB' inside one read: buf = ...$ENV::C expand don't found `$ENV::CADB' next read buf = ADB... `$ENV::CADB' wouldn't be expanded + len = strlen(buf); + if (write(ofd, buf, len) != len) + goto done; + } + + r = 0; + + done: + saved_errno = errno; + close(ofd); + if (ifp != NULL) + fclose(ifp); + if (r == -1) + errc(1, saved_errno, open %s, dst); + + return (0); +} + -- Sebastien Marie
Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. There are more pending changes for ikectl (eg. from semarie@), but I'd like to fix this first. OK? Reyk Index: Makefile === RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v retrieving revision 1.3 diff -u -p -u -p -r1.3 Makefile --- Makefile 18 Jan 2014 05:54:51 - 1.3 +++ Makefile 19 Aug 2015 08:12:39 - @@ -3,7 +3,7 @@ .PATH: ${.CURDIR}/../../sbin/iked PROG=ikectl -SRCS=log.c ikeca.c ikectl.c parser.c +SRCS=log.c ikeca.c ikectl.c parser.c util.c util.c is missing from diff -- Sebastien Marie
Re: iked rsa pki configuration
On 2015-08-19, Sebastien Marie sema...@openbsd.org wrote: On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. There are more pending changes for ikectl (eg. from semarie@), but I'd like to fix this first. OK? Reyk Index: Makefile === RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v retrieving revision 1.3 diff -u -p -u -p -r1.3 Makefile --- Makefile 18 Jan 2014 05:54:51 - 1.3 +++ Makefile 19 Aug 2015 08:12:39 - @@ -3,7 +3,7 @@ .PATH: ${.CURDIR}/../../sbin/iked PROG= ikectl -SRCS= log.c ikeca.c ikectl.c parser.c +SRCS= log.c ikeca.c ikectl.c parser.c util.c util.c is missing from diff util.c is pulled in from the iked folder. It is already in the tree.
Re: iked rsa pki configuration
On 2015-08-19, Reyk Floeter r...@openbsd.org wrote: On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote: On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. LibreSSL purposefully removed support for environment variables in http://marc.info/?l=openbsd-cvsm=142876823016723w=2 http://marc.info/?l=openbsd-cvsm=142876823016723w=2 So another way is indeed needed. In this case, LibreSSL was Theo who unintentionally broke ikectl. I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. The patch fixes certificate generation for me. SubjectAltName gets set correctly and iked is happy. It is unfortunate that openssl does not accept SANs as command line arguments. I like the nice stringe expansion solution. Maybe libtls will wrap this up nicely, making it possible to generate the certificates through the API.
Re: iked rsa pki configuration
On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote: On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. LibreSSL purposefully removed support for environment variables in http://marc.info/?l=openbsd-cvsm=142876823016723w=2 http://marc.info/?l=openbsd-cvsm=142876823016723w=2 So another way is indeed needed. In this case, LibreSSL was Theo who unintentionally broke ikectl. I attached a diff that generates new .cnf files by expanding the variables in the source .cnf files and generating target .cnf files. It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), but you/we should install ikeca.cnf to /etc/ssl/ by default. There are more pending changes for ikectl (eg. from semarie@), but I'd like to fix this first. OK? Reyk Index: Makefile === RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v retrieving revision 1.3 diff -u -p -u -p -r1.3 Makefile --- Makefile18 Jan 2014 05:54:51 - 1.3 +++ Makefile19 Aug 2015 08:12:39 - @@ -3,7 +3,7 @@ .PATH: ${.CURDIR}/../../sbin/iked PROG= ikectl -SRCS= log.c ikeca.c ikectl.c parser.c +SRCS= log.c ikeca.c ikectl.c parser.c util.c MAN= ikectl.8 Index: ikeca.c === RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v retrieving revision 1.32 diff -u -p -u -p -r1.32 ikeca.c --- ikeca.c 15 Aug 2015 04:47:28 - 1.32 +++ ikeca.c 19 Aug 2015 08:12:39 - @@ -82,13 +82,39 @@ struct { { /private, 0700 } }; -int ca_sign(struct ca *, char *, int, char *); +/* explicitly list allowed variables */ +const char *ca_env[][2] = { + { $ENV::CADB, NULL }, + { $ENV::CERTFQDN, NULL }, + { $ENV::CERTIP, NULL }, + { $ENV::CERTPATHLEN, NULL }, + { $ENV::CERTUSAGE, NULL }, + { $ENV::CERT_C, NULL }, + { $ENV::CERT_CN, NULL }, + { $ENV::CERT_EMAIL, NULL }, + { $ENV::CERT_L, NULL }, + { $ENV::CERT_O, NULL }, + { $ENV::CERT_OU, NULL }, + { $ENV::CERT_ST, NULL }, + { $ENV::EXTCERTUSAGE, NULL }, + { $ENV::NSCERTTYPE, NULL }, + { NULL } +}; + +int ca_sign(struct ca *, char *, int); int ca_request(struct ca *, char *); int ca_newpass(char *, char *); char * ca_readpass(char *, size_t *); int fcopy(char *, char *, mode_t); +int fcopy_env(const char *, const char *, mode_t); int rm_dir(char *); int ca_hier(char *); +voidca_setenv(const char *, const char *); +voidca_clrenv(void); +voidca_setcnf(struct ca *, const char *); + +/*
Re: iked rsa pki configuration
On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. As a workaround, you could try to edit CERTFQDN/CERTIP in x509v3.cnf/ikeca.cnf manually before generating the certificate. *) ikeca.cnf is an alternative to x509v3.cnf that sets some additional x509 attributes that are required for Windows interop and some other cases. It is not installed by default (why?) and found in src/usr.sbin/ikectl/ikeca.cnf of the source tree. Reyk # ikectl ca ikeca certificate 188.226.168.224 create [...] Signature ok subject=/C=NL/CN=188.226.168.224/emailAddress=j...@joachim.cc Getting CA Private Key # ikectl ca ikeca certificate asterix.my.domain create [...] Signature ok subject=/C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc Getting CA Private Key # ikectl ca ikeca install certificate for CA 'ikeca' installed into /etc/iked/ca/ca.crt # ikectl ca ikeca certificate 188.226.168.224 install writing RSA key # ikectl ca ikeca certificate asterix.my.domain export Export passphrase: Retype export passphrase: writing RSA key exported files in /root/asterix.my.domain.tgz On the client side then I did the following: asterix% sudo tar -C /etc/iked -xzpf asterix.my.domain.tgz The server configuration files look like this: iked.conf: local_ip = 188.226.168.224 ikev2 passive ipcomp esp \ from 0.0.0.0/0 to 10.0.0.0/8 \ from 0.0.0.0/0 to 172.16.0.0/12 \ from 0.0.0.0/0 to 192.168.0.0/16 \ local $local_ip peer any \ srcid $local_ip \ tag IKED pf.conf (partial): set skip on { lo, enc } block in log pass in quick inet proto icmp icmp-type { echoreq, unreach } pass in on egress proto { ah, esp } pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t } pass out all modulate state pass out log on egress \ from any to any tagged IKED \ nat-to (egress) The client configuration files look like this: iked.conf: lan = 192.168.1.0/24 remote_gw = 188.226.168.224 ikev2 active esp \ from $lan to 0.0.0.0/0 \ peer $remote_gw \ srcid asterix.my.domain \ tag IKED Here's the output of iked -dvv on the client side: ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_reload: loaded ca file ca.crt ca_reload: /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_reload: loaded 1 ca certificate ca_reload: loaded cert file asterix.my.domain.crt ca_validate_cert: /C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc ok ca_reload: local cert type X509_CERT lan = 192.168.1.0/24 remote_gw = 188.226.168.224 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 /etc/iked.conf: loaded 1 configuration rules config_getocsp: ocsp_url none config_getpolicy: received policy ikev2 policy1 active esp inet from 192.168.1.0/24 to 0.0.0.0/0 local any
Re: iked rsa pki configuration
On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. LibreSSL purposefully removed support for environment variables in http://marc.info/?l=openbsd-cvsm=142876823016723w=2 http://marc.info/?l=openbsd-cvsm=142876823016723w=2 So another way is indeed needed.
Re: iked rsa pki configuration
On 2015-08-18, Reyk Floeter r...@openbsd.org wrote: On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca It seems that the changes in LibreSSL (or newer OpenSSL before the fork) broke some things in ikectl. Specifically, the possibility to overwrite variables like CERTIP or CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be broken; or not longer supported because of security concerns. Your log file gives a hint that the default CERTFQDN = nohost.nodomain value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead of the CERTFQDN overwrite from the environment (as set by ikectl): ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found If libressl no longer supports $ENV in the .cnf files, we have to find another way, eg. by generating and using a .cnf file for each certificate. As a workaround, you could try to edit CERTFQDN/CERTIP in x509v3.cnf/ikeca.cnf manually before generating the certificate. Manually editing x509v3.cnf permitted to create valid certificates and solved the problem. Strange that I am the first one to run into this problem. Thank you very much for the quick support!