I had an issue with CA intermediate Certificate Chains before,
with stunnel about 8 years ago, believe it or not, my Ca Provider
( in fairness to them ) actually worked out how to get my
ca certs working in Stunnel on OpenBSD
What they suggested me to do which worked for me
was to copy all the intermediate certificates, into the bottom
of my server certificate file ... and that did the trick ... dont
use the CA file
That did the trick for me...
(that was on the server side of things) im not sure on the client
side of things
I hope this helps
On 22 February 2018 at 01:49, Igor V. Gubenko <i...@gubenko.com> wrote:
> I have an issue using certs as well, though I am not 100% sure whether
> it has to do with a CA cert chain (why did you come to this
> conclusion?). Do you have a config and a debug trace to share?
>
> ---
> Igor V. Gubenko
>
> System Engineer
>
> On 2018-02-21 20:14, Stuart Henderson wrote:
>
>> Has anyone already figured out how to, or know whether it's possible
>> to, get iked working with letsencrypt certs? (Or indeed any CA with
>> chain certs?)
>>
>> Use case: "standard" clients (Windows/iOS/StrongSwan), EAP auth,
>> not particularly technical users so trying to avoid the need for them
>> to manually install certs.
>>
>> Most of it should be straightforward (at least for FQDN), the server
>> cert has SAN, I think the main issue seems to be due to the chain cert.
>>
>> If I place only the "CN=Let's Encrypt Authority X3" in iked/ca/ca.crt
>> iked doesn't startup properly ("unable to get issuer certificate" for my
>> own cert and "unable to get local issuer certificate" for the LE CA).
>>
>> If I place only the "DST Root CA X3" in ca.crt I get "did not find
>> subjectAltName" and "no valid local certificate found".
>>
>> If I place both ca and chain certs in ca.crt it looks like it starts
>> up ok:
>>
>> ca_reload: loaded ca file ca.crt
>> ca_reload: loaded crl file ca.crl
>> ca_reload: /O=Digital Signature Trust Co./CN=DST Root CA X3
>> ca_reload: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>> ca_reload: loaded 2 ca certificates
>> ca_reload: loaded cert file blahblahblah.com.crt
>>
>> but then actually connecting fails (at least from strongswan, I need to
>> dig out the other test devices again..).
--
Kindest regards,
Tom Smyth
Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.
