i'm unable to connect to the strongSwan IKEv2 vpns after updating their certs with the new R3 kind ones, using certbot (certbot-1.11.0-1.el7 on rhel 7 and 0.31.0-1+deb10u1 on buster). Windows (win7 and win10) and linux (fedora 29) clients are affected, iOS doesn't seem to care about the change, though.
Those are the symlinks i've been using before this transition.
[root@ghgh ~]# ls -ld /etc/strongswan/ipsec.d/cacerts/vpnCa.pem
lrwxrwxrwx 1 root root 50 Jun 10 19:23 /etc/strongswan/ipsec.d/cacerts/vpnCa.pem -> /etc/letsencrypt/live/ghgh.domain.tld/chain.pem
[root@ghgh ~]# ls -ld /etc/strongswan/ipsec.d/certs/vpnCert.pem
lrwxrwxrwx 1 root root 54 Jun 10 11:47 /etc/strongswan/ipsec.d/certs/vpnCert.pem -> /etc/letsencrypt/live/ghgh.domain.tld/fullchain.pem
[root@ghgh ~]# ls -ld /etc/strongswan/ipsec.d/private/vpnKey.pem
lrwxrwxrwx 1 root root 52 Sep 27 2020 /etc/strongswan/ipsec.d/private/vpnKey.pem -> /etc/letsencrypt/live/ghgh.domain.tld/privkey.pem
Well that was quick. Quick and brilliant, and it worked! Thank you, i've spend 3 hours on this today and couldn't find a clue. You've totally saved my day.
So what do i do in the future, when my certbot updates current certs with the new ones? Should i use smth like wget in the renewal script to get this cross signed cert from this particular location, or perhaps there's more elegant way?
There are a number of ways to script this fix into a --deploy-hook into certbot. Since the R3 intermediate don't change that regularly, you shouldn't need to reacquire it each time. Just keep a copy in a safe place. Most importantly though: get this corrected the right way as soon as possible.
Quick and brilliant, and it worked! Thank you, i've spend 3 hours on this today and couldn't find a clue. 