StrongSwan IPSec VPN - IKEv2 - LetsEncrypt Certificate Issue (building CRED_PRIVATE_KEY - RSA failed, tried 10 builders)
I followed the link below for setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7.
How to Setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7
But info on that link has been depricatd.
My Let's encrypt commands is like this :
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --register-account -m [email protected]
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
or
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone --force
sudo yum -y install psmisc
sudo fuser 80/tcp
sudo yum -y install lsof
sudo lsof -i tcp:80
service httpd stop
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
Your cert is in: /root/.acme.sh/my_domain.com/my_domain.com.cer
Your cert key is in: /root/.acme.sh/my_domain.com/my_domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my_domain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/my_domain.com/fullchain.cer
~/.acme.sh/acme.sh --installcert -d my_domain.com --key-file /root/private.key --fullchain-file /root/cert.crt
service httpd start
service httpd status
I have 4 files here on my centos 7 vps after these commands.
my_domain.com.cer
my_domain.com.key
ca.cer
fullchain.cer
First of all i really don't know which file should i put on certs folder & which file should i put on cacerts folder and which file should i put on private folder.
I just did this :
sudo cp /root/.acme.sh/my_domain.com/fullchain.cer /etc/strongswan/ipsec.d/certs/
sudo cp /root/.acme.sh/my_domain.com/ca.cer /etc/strongswan/ipsec.d/cacerts/
sudo cp /root/.acme.sh/my_domain.com/my_domain.com.key /etc/strongswan/ipsec.d/private/
sudo cp /root/cert.crt /etc/strongswan/ipsec.d/cacerts/
sudo tree /etc/strongswan/ipsec.d/
Did i put those files on the correct folders?
Now let see StrongSwan config :
nano -K /etc/strongswan/ipsec.conf
#global configuration IPsec
#chron logger
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
#define new ipsec connection
conn hakase-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@my_domain.com
leftcert=fullchain.cer
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.15.1.0/24
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity
And here is secrets file :
nano -K /etc/strongswan/ipsec.secrets
: RSA "my_doman.com.key"
temp : EAP "123"
And here StrongSwan status after running :
[root@art_300 ~]# systemctl status strongswan -l
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2024-01-14 21:17:03 +0330; 11s ago
Main PID: 2056 (starter)
CGroup: /system.slice/strongswan.service
├─2056 /usr/libexec/strongswan/starter --daemon charon --nofork
└─2098 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0
Jan 14 21:17:03 art_300.buzz systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz strongswan[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.105.1.el7.x86_64, x86_64)
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] openssl FIPS mode(2) - enabled
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[JOB] spawning 16 worker threads
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: charon (2098) started after 60 ms
Jan 14 21:17:03 art_300.buzz strongswan[2056]: charon (2098) started after 60 ms
As you know that link has been depricated and is old.
Now tell me what is i do wrong & how can i fix :
building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
Apparently with latest development with SSL dropping vulnerable algorithms like hot potato, your private key could be not an RSA key at all. Try to verify it with following OpenSSL command
if you will get an error like
then you are out of luck with Let's Encrypt, I suggest you follow this instruction for setting up StrongSwan DO how to setup StrongSwan server with IKEv2 on Ubuntu. Following this document I've got AlmaLinux9/ARM working with MacOS client couple of hours ago..
For acme.sh, just add -keylength 4096 to get RSA private key, instead of ECDSA.