On Wed, Nov 01, 2017 at 09:08:08AM +0000, Andreas Thulin wrote: > Hi! > > I’m trying to set up iked on machine A, to create a tunnel between machines > A and B. ikectl produces errors when creating a certificate with my ”test” > ca, and I have failed to understans why: > > # ikectl ca test certificate 192.168.1.1 create > Generating RSA private key, 2048 bit long modulus > ......................................+++ > ..........+++ > e is 65537 (0x10001) > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blankFor some fields > there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [DE]: > State or Province Name (full name) [Lower Saxony]: > Locality Name (eg, city) [Hanover]: > Organization Name (eg, company) [OpenBSD]: > Organizational Unit Name (eg, section) [iked]: > Common Name (eg, fully qualified host name) [192.168.1.1]: > Email Address [r...@openbsd.org]: > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'DE' > stateOrProvinceName :ASN.1 12:'Lower Saxony' > localityName :ASN.1 12:'Hanover' > organizationName :ASN.1 12:'OpenBSD' > organizationalUnitName:ASN.1 12:'iked' > commonName :ASN.1 12:'192.168.1.1' > emailAddress :IA5STRING:'r...@openbsd.org' > ERROR: adding extensions in section x509v3_IPAddr > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension > string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, > value=IP: > # > > The machine is i386 running 6.2-stable. > > I assume I’m doing something wrong, or have missed something in previous > steps (I followed the example steps from the ikectl man page). Any tips on > where to start digging/understanding/learning/fixing would be highly > appreciated. > > BR, Andreas
Search the archives, there's a diff to fix this from Oct 25 or so, but it has not been committed yet. -ml
