Re: did 70-006_x509 break ikectl ca ?
Hi Tobias, I kicked out the whole PKI including keys and self-signed certificate and tried again. The new keys and certificates work, but looking at the signatures, expiration dates, access rights and all the other usual suspects the old chain should have worked, too. Its still unresolved and it might come back. Regards Harri On 2021-12-13 20:28:11, Tobias Heider wrote: On Sun, Dec 12, 2021 at 10:01:20PM +0100, Harald Dunkel wrote: Hi folks, since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters (2 hosts on each end, carp interface, passive by default, managed via sasyncd) appears to be broken. /var/log/messages says Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: ikev2_dispatch_cert: peer certificate is invalid certificates have been generated using ikectl ca. How comes? I haven't changed the ca or the ike configuration since 6.8. Unfortunately rolling back the syspatch or issuing new certificates did not help. I am stuck and desperate. Every helpful comment is highly appreciated. Harri Hi Harald, i haven't heard of any problems with the syspatch you mention and I didn't manage to reproduce your problem on my 7.0 machine. From your description I'm assuming all four machines are running syspatched 7.0. Some ideas: - to verify that this is a libcrypto problem, try 'openssl verify -CAfile /path/to/ca /path/to/cert' and see if still fails. - You are saying newly generated certs don't work. Did you modify '/etc/ssl/ikeca.cnf'? If yes, see if it works with the original config. - This is just a guess, but there were a several changes in recent libcrypto versions that made the certificate parsing stricter. Does your cert maybe have multiple extensions of the same type (e.g. multiple subjectAltNames)? This is all I can say without seeing the actual certificates and/or iked log. - Tobias -- Dipl.-Ing. Harald Dunkel | Muehlenbachstr. 3| keep it simple 52134 Herzogenrath, Germany | +49 2407 565 105 |
Re: did 70-006_x509 break ikectl ca ?
On Sun, Dec 12, 2021 at 10:01:20PM +0100, Harald Dunkel wrote: > Hi folks, > > since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters > (2 hosts on each end, carp interface, passive by default, managed via > sasyncd) appears to be broken. /var/log/messages says > > Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: > ikev2_dispatch_cert: peer certificate is invalid > > certificates have been generated using ikectl ca. > > How comes? I haven't changed the ca or the ike configuration since > 6.8. > > Unfortunately rolling back the syspatch or issuing new certificates > did not help. I am stuck and desperate. > > > Every helpful comment is highly appreciated. > > Harri Hi Harald, i haven't heard of any problems with the syspatch you mention and I didn't manage to reproduce your problem on my 7.0 machine. From your description I'm assuming all four machines are running syspatched 7.0. Some ideas: - to verify that this is a libcrypto problem, try 'openssl verify -CAfile /path/to/ca /path/to/cert' and see if still fails. - You are saying newly generated certs don't work. Did you modify '/etc/ssl/ikeca.cnf'? If yes, see if it works with the original config. - This is just a guess, but there were a several changes in recent libcrypto versions that made the certificate parsing stricter. Does your cert maybe have multiple extensions of the same type (e.g. multiple subjectAltNames)? This is all I can say without seeing the actual certificates and/or iked log. - Tobias
did 70-006_x509 break ikectl ca ?
Hi folks, since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters (2 hosts on each end, carp interface, passive by default, managed via sasyncd) appears to be broken. /var/log/messages says Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: ikev2_dispatch_cert: peer certificate is invalid certificates have been generated using ikectl ca. How comes? I haven't changed the ca or the ike configuration since 6.8. Unfortunately rolling back the syspatch or issuing new certificates did not help. I am stuck and desperate. Every helpful comment is highly appreciated. Harri
