Strongswan 5.1.2 on Android. Am I correct in understanding that the rightca= ipsec.conf directive should over-rule sending CERTREQs for each of the certs in ...ipsec.d/cacerts/ ? That is, only the CERTREQ for rightca should be requested?
If so, that sounds like what I want, but I'm seeing: ... 17:03:45 00[CFG] *loaded ca certificate "C=US, O=Entrust, Inc., OU=www.entrust.net/rpa <http://www.entrust.net/rpa> is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C" from '<path-to-certs>/ipsec.d/cacerts/entrust_l1c.cer'* 17:03:45 00[CFG] loaded ca certificate "O=Entrust.net, OU= www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)" from '<path-to-certs>/ipsec.d/cacerts/entrust_2048_chain_root.cer' 17:03:45 00[CFG] loaded ca certificate "C=US, O=Entrust.net, OU= www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority" from '<path-to-certs>/ipsec.d/cacerts/entrust_ssl_ca.cer' ... 17:03:45 06[CFG] CA certificate *"C=US, O=Entrust, Inc., OU=www.entrust.net/rpa <http://www.entrust.net/rpa> is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C" not found, discarding CA constraint* [Where <path-to-certs> is where my ipsec.d directory is located] The error seems pretty clear: I'm mis-configuring rightca= ... however, can anyone help me, as to me the "not found" line matches exactly one of the "loaded ca certificate" lines above it. Namely: loaded ca certificate "C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C" vs. "C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C" not found Those two DNs are the same. What am I missing? Is there a different format for rightca than I'm using? Does it perhaps need just the "CN=" part or something? Thanks, ~Mark
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
