IKEv2 VPN with Strongswan: Getting `no issuer certificate found for "C=US, O=Let's Encrypt, CN=R3"`

richardc · January 31, 2024, 4:21am

I’m having some trouble trying to use strongswan to connect to a IKEv2 VPN.

I’m getting this error:

charon-nm[38055]: 14[CFG] no issuer certificate found for "C=US, O=Let's Encrypt, CN=R3"
charon-nm[38055]: 14[CFG]   issuer is "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
charon-nm[38055]: 14[IKE] no trusted RSA public key found for 'vpn.example.com'

I have downloaded the ISRG Root X1 certificate from Chain of Trust - Let's Encrypt and added it via Network Manager: Network > Settings > SSL Preferences. I still get the same error.

Looks like the certificate is not installed, or strongswan cannot find it. Is there something else I need to do?

My configuration.nix:

  networking.networkmanager = {
    enable = true;
    enableStrongSwan = true;
  };

  services.strongswan = {
    enable = true;
    secrets = [
      "ipsec.d/ipsec.nm-l2tp.secrets"
    ];
  };

Would appreciate any help. Thanks

Tolkol · February 6, 2024, 2:32am

Hello，in my case, CentOS 7, Strognswan Linux strongSwan U5.7.2/K3.10.0-1160.102.1.el7.x86_64

cd /etc/strongswan/ipsec.d/cacerts
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
systemctl restart strongswan

it looks it’s some error about the certificates. you could get some messages from this Chain of Trust - Let's Encrypt

it works on my apple devices, but some Android still got another error.

Hops this can helps you.

richardc · February 6, 2024, 8:04am

Thanks for responding. I have downloaded the R3 intermediate certificate as well, but when I add it via Network manager (Network > Settings > SSL Preferences), I don’t see it added in the list of “User-added certificates”.

The directory /etc/strongswan doesn’t exist on my system. I have copied the lets-encrypt-r3.pem file to /etc/ssl/certs/ but this doesn’t resolve the issue either.

j.book · December 1, 2024, 7:17pm

Hey Richard,

Did you ever manage to solve this issue? I’m running into a similar issue.

Thanks!

richardc · December 2, 2024, 8:46pm

Hi @j.book ,

I was able to resolve this by copying the ISRG Root X1 certificate file isrgrootx1.pem to /etc/ssl/certs.

Hope this helps you as well.

j.book · December 2, 2024, 9:59pm

Hi @richardc

That fixed it for me! Thanks :))

Now I can connect but can’t actually ping something… so the bugfixing continues, but I got a step further

numinit · December 2, 2024, 10:35pm

You can do it declaratively too! Check out security.pki.certificates as well as certificateFiles.

https://search.nixos.org/options?channel=24.11&show=security.pki.certificateFiles&from=0&size=50&sort=relevance&type=packages&query=security.pki