strongSwan and X3 to R3 transition

Hi, Let's Encrypt,

i'm unable to connect to the strongSwan IKEv2 vpns after updating their certs with the new R3 kind ones, using certbot (certbot-1.11.0-1.el7 on rhel 7 and 0.31.0-1+deb10u1 on buster). Windows (win7 and win10) and linux (fedora 29) clients are affected, iOS doesn't seem to care about the change, though.

Those are the symlinks i've been using before this transition.

[root@ghgh ~]# ls -ld /etc/strongswan/ipsec.d/cacerts/vpnCa.pem
lrwxrwxrwx 1 root root 50 Jun 10 19:23 /etc/strongswan/ipsec.d/cacerts/vpnCa.pem -> /etc/letsencrypt/live/ghgh.domain.tld/chain.pem
[root@ghgh ~]# ls -ld /etc/strongswan/ipsec.d/certs/vpnCert.pem
lrwxrwxrwx 1 root root 54 Jun 10 11:47 /etc/strongswan/ipsec.d/certs/vpnCert.pem -> /etc/letsencrypt/live/ghgh.domain.tld/fullchain.pem
[root@ghgh ~]# ls -ld /etc/strongswan/ipsec.d/private/vpnKey.pem
lrwxrwxrwx 1 root root 52 Sep 27  2020 /etc/strongswan/ipsec.d/private/vpnKey.pem -> /etc/letsencrypt/live/ghgh.domain.tld/privkey.pem

Has anyone figured out a solution?

1 Like

Welcome Back to the Let's Encrypt Community :slightly_smiling_face:

My guess is that they don't like the switch from one intermediate certificate to two in fullchain.pem and chain.pem.

If you replace these two final certificates currently in both fullchain.pem and chain.pem:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem

with this one certificate:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

things will likely start working again. If so, then strongSwan needs to update for the new three-certificate fullchain.

2 Likes

Well that was quick. :slight_smile: Quick and brilliant, and it worked! Thank you, i've spend 3 hours on this today and couldn't find a clue. :slight_smile: You've totally saved my day.

So what do i do in the future, when my certbot updates current certs with the new ones? Should i use smth like wget in the renewal script to get this cross signed cert from this particular location, or perhaps there's more elegant way?

1 Like

@griffin I don't understand: both chains chain up to the DST root, right? Why wouldn't the initial one work?

1 Like

There are a number of ways to script this fix into a --deploy-hook into certbot. Since the R3 intermediate don't change that regularly, you shouldn't need to reacquire it each time. Just keep a copy in a safe place. Most importantly though: get this corrected the right way as soon as possible.

It likely doesn't like serving the three-certificate fullchain. Probably just hardcoding for two certs somewhere.

Well, that's just plain dumb.

2 Likes

That's the nature of assumptions in coding...

:upside_down_face:

2 Likes