Got it, turned out to be the result of a cert getting corrupted.
On Tue, Sep 30, 2014 at 09:46:34PM -0400, Shea Levy wrote: > Hi Andreas, > > I'm getting the following error on startup when trying to use pkcs12: > > > Oct 01 03:16:13 machine2 charon[2576]: 00[LIB] building CRED_CONTAINER - > > PKCS12 failed, tried 2 builders > > Oct 01 03:16:13 machine2 charon[2576]: 00[CFG] loading credentials from > > '/etc/x509/strongswan.p12' failed > > strace shows the file being opened and mmapped just before this failure. > > Config files: https://gist.github.com/shlevy/cab44a79c200140c5647 > > ~Shea > > On Thu, Sep 25, 2014 at 08:43:06AM +0200, Andreas Steffen wrote: > > Hi Shea, > > > > concatenating multiple certificates into a single PEM file is not > > supported by strongSwan. You could import the user certificate, > > the corresponding private key and the trust chain via a key file > > in PKCS#12 format as in the following example: > > > > http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.secrets > > > > The user certificate and any intermediate certificates will be > > sent to the peer via the IKE protocol. > > > > In ipsec.conf you don't need a leftcert parameter. Just indicate > > leftid so that the matching user certificate can be found. > > > > http://www.strongswan.org/uml/testresults/ikev2/net2net-pkcs12/moon.ipsec.conf > > > > Best regards > > > > Andreas > > > > On 09/24/2014 10:14 PM, Shea Levy wrote: > > > Hi all, > > > > > > I have the setup described at [1] working currently. > > > shea-intermediate.crt is signed by zalora-ca.crt, and each machine's > > > cert in /etc/x509 is signed by and concatenated with > > > shea-intermediate.crt. If I remove the 'ca inter' section from each > > > config, I get: > > > > > >> no issuer certificate found for "C=SG, ST=Singapore, O=Zalora, > > >> OU=DevOps, CN=strongswan-ebc130d19292466287791571653eac79, > > >> [email protected]" > > > > > > Is there any way to get this to work without each machine needing to > > > know about the intermediate cas that may be used by the others? Since > > > the intermediate ca is signed by the root ca and bundled with the > > > end-user ca, it seems like it shouldn't be necessary... > > > > > > ~Shea > > > > > > [1]: https://gist.github.com/shlevy/99c8008c9b0043bc4afc > > > > ====================================================================== > > Andreas Steffen [email protected] > > strongSwan - the Open Source VPN Solution! www.strongswan.org > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > ===========================================================[ITA-HSR]== > > > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
