Re: [strongSwan] Can't load certificates and keys via symlink

Fri, 10 Feb 2017 03:21:12 -0800 

It seems we are talking about two different things.
I have used the LetsEncrypt certificate to authenticate the server itself. Peers are using username and password using EAP, that's not an issue. 


The problem is charon is refusing to load the cert file via symbolic 
link, giving me "Permission denied error". That's the problem I'm trying 
to solve right now. Apart from that everything works fine.


On 10.2.2017 11:05, Noel Kuntze wrote:

Am 10.02.2017 um 00:22 schrieb Jose Novacho:

if I replace the symbolic link with the actual file fullchain1.pem everything 
works as expected.

I have also replaced the link, so it points at the  
/etc/letsencrypt//archive//trinity.ingames.cz/cert1.pem file. But that didn't 
help either. I'm still getting permission denied on the cert file.

Do you know which of the following LestEncrypt files is the correct one?

/root@Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
celkem 24
drwxr-xr-x 2 root root 4096 úno  6 20:51 .
drwx------ 3 root root 4096 úno  6 20:51 ..
-rw-r--r-- 1 root root 1805 úno  6 20:51 cert1.pem
-rw-r--r-- 1 root root 3452 úno  6 20:51 fullchain1.pem
-rw-r--r-- 1 root root 1647 úno  6 20:51 chain1.pem
-rw-r--r-- 1 root root 1704 úno  6 20:51 privkey1.pem

/ I'm not really sure how to use them for VPN otherwise.

1. What I mentioned is just an additonal failure that will occur, after charon 
read the certificate.

2. Your peer should have all the CA certificates that lie in the trust path 
from the root to its certificate.
    If you make charon just load cert1.pem or fullchain1.pem, then it will only 
have its own certificate, but no CA certificate.

3. You need to split chain1.pem into seperate certificates and put them in 
ipsec.d/cacerts. The chain will likely not change any time soon.
    You need to make charon reload the certificate and the CA certificates 
(togetherwith purging old ones) when they are updated.
    You could also script something with the letsencrypt client. I use acmetool 
and did something similiar[1] for my webserver setup.

4. Public CAs are not suitable to authenticate VPN peers, because the network 
that is accessed using the VPN is private,
    not public. You're entrusting a public entity with controlling access to 
your private network.

[1] https://gist.github.com/Thermi/05f2a2903dee6c37bbbb31405ee082d2




_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to