Hi!
I’m pretty new to NixOS and I try to create a VPN (KDE/NetworkManager) connection.
It fails with this error:
no issuer certificate found for "C=US, O=Let's Encrypt, CN=R3"
issuer is "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
What am I missing?
Regards,
Marco
Maybe you can provide a bit more details? What kind of VPN is it? (openvpn, wireguard, openswan…) What can of credential do you provide? (password, tls certificate, key…) How do you configure it? (have you configured all fields? Maybe send a screenshot blurring sensitive data)
For now my random guess is that you forgot to provide the Certificate CA file (provided by your VPN provider) that asserts to your computer that you are really talking to your provider and not to an adversary (man in the middle attack).
At least I can confirm that on my system (also KDE+network manager) I can use my VPN without any issue.
Thanks for your reply. I should have provided those information upfront. Sorry!
I’m trying to connect to the VPN (IKEv2 - strongswan) of my employer by just using username and password (EAP authentication method).
This is log output of a connection attempt:
Oct 07 22:17:32 nixos charon-nm[3851]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.5)
Oct 07 22:17:32 nixos kernel: NET: Registered PF_ALG protocol family
Oct 07 22:17:32 nixos kernel: Initializing XFRM netlink socket
Oct 07 22:17:32 nixos charon-nm[3851]: 00[LIB] created TUN device: tun0
Oct 07 22:17:32 nixos systemd-udevd[3854]: Using default interface naming scheme 'v250'.
Oct 07 22:17:32 nixos charon-nm[3851]: 00[LIB] loaded plugins: nm-backend charon-nm pkcs11 aesni aes des rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem opens>
Oct 07 22:17:32 nixos charon-nm[3851]: 00[JOB] spawning 16 worker threads
Oct 07 22:17:32 nixos charon-nm[3851]: 05[CFG] received initiate for NetworkManager connection xxxxx-VPN
Oct 07 22:17:32 nixos charon-nm[3851]: 05[CFG] using gateway identity 'vpn.xxxxx.com'
Oct 07 22:17:32 nixos charon-nm[3851]: 05[IKE] initiating IKE_SA xxxxx-VPN[1] to xxxx:xxx:xxxx::x
Oct 07 22:17:32 nixos charon-nm[3851]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 05[NET] sending packet: from xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[52749] to xxxx:xxx:xxxx::x[500] (940 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 07[NET] received packet: from xxxx:xxx:xxxx::x[500] to xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[52749] (38 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 07[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 07[IKE] peer didn't accept DH group CURVE_25519, it requested ECP_384
Oct 07 22:17:32 nixos charon-nm[3851]: 07[IKE] initiating IKE_SA xxxxx-VPN[1] to xxxx:xxx:xxxx::4
Oct 07 22:17:32 nixos charon-nm[3851]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 07[NET] sending packet: from xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[52749] to xxxx:xxx:xxxx::x[500] (1004 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 08[NET] received packet: from xxxx:xxx:xxxx::x[500] to xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[52749] (304 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 08[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Oct 07 22:17:32 nixos charon-nm[3851]: 08[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Oct 07 22:17:32 nixos charon-nm[3851]: 08[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Oct 07 22:17:32 nixos charon-nm[3851]: 08[IKE] establishing CHILD_SA xxxxx-VPN{1}
Oct 07 22:17:32 nixos charon-nm[3851]: 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID>
Oct 07 22:17:32 nixos charon-nm[3851]: 08[NET] sending packet: from xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[48464] to xxxx:xxx:xxxx::x[4500] (476 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 11[NET] received packet: from xxxx:xxx:xxxx::4[4500] to xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[48464] (1228 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 11[ENC] parsed IKE_AUTH response 1 [ EF(1/4) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 11[ENC] received fragment #1 of 4, waiting for complete IKE message
Oct 07 22:17:32 nixos charon-nm[3851]: 12[NET] received packet: from xxxx:xx:xxxx::x[4500] to xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[48464] (105 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 12[ENC] parsed IKE_AUTH response 1 [ EF(4/4) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 12[ENC] received fragment #4 of 4, waiting for complete IKE message
Oct 07 22:17:32 nixos charon-nm[3851]: 09[NET] received packet: from xxxx:xxx:xxxx::x[4500] to xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[48464] (1228 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 09[ENC] parsed IKE_AUTH response 1 [ EF(3/4) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 09[ENC] received fragment #3 of 4, waiting for complete IKE message
Oct 07 22:17:32 nixos charon-nm[3851]: 10[NET] received packet: from xxxx:xxx:xxxx::4[4500] to xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[48464] (1228 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 10[ENC] parsed IKE_AUTH response 1 [ EF(2/4) ]
Oct 07 22:17:32 nixos charon-nm[3851]: 10[ENC] received fragment #2 of 4, reassembled fragmented IKE message (3602 bytes)
Oct 07 22:17:32 nixos charon-nm[3851]: 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Oct 07 22:17:32 nixos charon-nm[3851]: 10[IKE] received end entity cert "CN=vpn.xxxxx.com"
Oct 07 22:17:32 nixos charon-nm[3851]: 10[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=R3"
Oct 07 22:17:32 nixos charon-nm[3851]: 10[CFG] using certificate "CN=vpn.xxxxx.com"
Oct 07 22:17:32 nixos charon-nm[3851]: 10[CFG] using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=R3"
Oct 07 22:17:32 nixos charon-nm[3851]: 10[CFG] checking certificate status of "CN=vpn.xxxxx.com"
Oct 07 22:17:32 nixos charon-nm[3851]: 10[CFG] requesting ocsp status from 'http://r3.o.lencr.org' ...
Oct 07 22:17:33 nixos charon-nm[3851]: 10[CFG] ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
Oct 07 22:17:33 nixos charon-nm[3851]: 10[CFG] ocsp response is valid: until Oct 14 12:59:58 2022
Oct 07 22:17:33 nixos charon-nm[3851]: 10[CFG] certificate status is good
Oct 07 22:17:33 nixos charon-nm[3851]: 10[CFG] no issuer certificate found for "C=US, O=Let's Encrypt, CN=R3"
Oct 07 22:17:33 nixos charon-nm[3851]: 10[CFG] issuer is "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Oct 07 22:17:33 nixos charon-nm[3851]: 10[IKE] no trusted RSA public key found for 'vpn.xxxxx.de'
Oct 07 22:17:33 nixos charon-nm[3851]: 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 07 22:17:33 nixos charon-nm[3851]: 10[NET] sending packet: from xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx[48464] to xxxx:xxx:xxxx::x[4500] (65 bytes)
The message in my initial post sounded like the root certificate is missing on the system. I tried to install it with cacert package but it didn’t work.
So according to this you need to install the certificate of the server in the client Issue #2106: no issuer certificate found - strongSwan
Do you have the certificate? I don’t have much time to check right now how to add the certificate for strongswan, maybe NetworkManager has an entry for that, or maybe just add it systemwide.
Edit:
People suggest /etc/ipsec.d/cacerts/ in Issue #2106: no issuer certificate found - strongSwan for nixos you can use certainly How to add a file to /etc in NixOS? - Unix & Linux Stack Exchange
See also vpn - Strongswan with letsencrypt certificates (IKEv2-EAP) - Server Fault and Issue #2812: Unclear where to put Let's encrypt Root CA for strongSwan to work - strongSwan
Btw do you have access to the server config?
Sorry for my late response 
Thanks for the links. I tried a couple of things in the last days and than gave up. I think I need some deeper understanding of how the certificate stuff works. Otherwise it’s just trial and error.
This conversation explains my problem. I think the key fact is:
strongSwan only extracts the first certificate from a file. So if you don’t have a directory on your system with individual CA certificates you have to do that manually.
I couldn’t get NetworkManager/strongswan to log missing certificate files (and locations). As mentioned above, I gave up.
I use an OpenVPN connection (configured via config file) as workaround.
Btw do you have access to the server config?
I don’t have access to the logs at the moment.
Ok. I guess you would have better chance trying to speak with strongman’s expert to see where those certificates should go, and as I cannot test it’s hard for me to help more. I saw this test online that check if strangswan is working, in case it can be of any help nixpkgs/strongswan-swanctl.nix at 3c121e14f2f4ca566477eaa35140a9ba1d953f3a · NixOS/nixpkgs · GitHub and I also saw this list of directories and studying/using the strongswan module could help, I see some mentions to cacert…