On 2016/09/14 3:09 PM, Tuomo Soini wrote:
Attempts to import a CRL file into the NSS database using
crlutil fail with "crlutil: unable to import CRL:
SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
All crls are expected to be in der format but pem is supported too.
Your error sounds like crl is not in correct format. That also explains
why you don't see your crl in ipsec auto --listcrls.
CRL is bog standard as generated by "openssl ca" exactly the same way
I've been generating them since the FreeSWAN days; but please see my
other reply to Paul with some additional logging I was able to generate
with "plutodebug=x509" (part also copied below).
It's requird that CA matching crl is in nss db for crls to work - so
you can't import crl from CA which is not in your nss db.
The CA is definitely present in the NSS db, and seems to be found:
Sep 14 14:54:33 mail2 pluto[17331]: Changing to directory
'/etc/ipsec.d/crls'
Sep 14 14:54:33 mail2 pluto[17331]: loading crl
file 'crl.pem' (1223bytes)
Sep 14 14:54:33 mail2 pluto[17331]: crl issuer found MAEI Root
Certificate : nick [email protected],CN=MAEI Root
Certificate,OU=InformationTechnology,O=Morningstar Air Express
Inc.,L=Edmonton International Airport,ST=Alberta,C=CA
Sep 14 14:54:33 mail2 pluto[17331]: could not find CRL URI ext -8157
I'm wondering about the "could not find CRL URI..." problem, though.
Nels Lindquist
----
<[email protected]>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
