Hi,
I have a fedora 30 server with Android Galaxy S8 clients working using
self signed certs on both the server and the StrongSwan android client.
It's been working for years, but now the server cert is about to
expire. I'm trying to migrate to using Let's Encrypt rather than to
continue to use my own CA.
Is there anything needed on the Android client side to recognize Let's
Encrypt? The StrongSwan App lists DST_Root_CA_X3, but I don't see the
LE cert. Is it needed?
On the server I simply changed leftcert and leftid from pem files I
created to those created by LE. The client (right=) currently still
uses my self signed CA and certs. This certs are still in
/etc/strongswan/ipsec.d
If I'm reading the logs correctly the server logs show both SA's
established. The android client logs shows the client app takes down
the connection:
Aug 26 11:32:56 12[IKE] establishing CHILD_SA android{40}
[deleted]
Aug 26 11:32:56 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR)
N(ADD_6_ADDR) ]
Aug 26 11:32:56 15[IKE] received end entity cert "CN=example.org"
Aug 26 11:32:56 15[CFG] using certificate "CN=example.org"
Aug 26 11:32:56 15[CFG] no issuer certificate found for "CN=example.org"
Aug 26 11:32:56 15[CFG] issuer is "C=US, O=Let's Encrypt, CN=Let's
Encrypt Authority X3"
Aug 26 11:32:56 15[IKE] no trusted RSA public key found for 'CN=example.org'
Aug 26 11:32:56 15[ENC] generating INFORMATIONAL request 2 [
N(AUTH_FAILED) ]
CN=example.org substituted for real domain name.
I've read that DST_Root_CA_X3 is needed in cacerts in the case of "unix
to unix", but the Android App seems to already have this. Is there
anything else needed?
Thanks,
MikeC
# strongswan version
Linux strongSwan U5.8.2/K5.5.16-100.fc30.x86_64
