Cannot connect to IKEv2 VPN on Fedora 33 - No trusted RSA public key found

Hello everyone.

I am having a little trouble configuring a IKEv2 VPN in Fedora. I’ve used the command “sudo journalctl -u NetworkManager.service” to find out the problem and it turns out to be an error on searching for getting the trusted RSA public key, as you can see by the log below:

mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[IKE] received end entity cert "C=PT, postalCode=1649-004, ST=Lisboa, L=Lisboa, STREET=Alameda da Universidade>
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[IKE] received issuer cert "C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4"
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG]   using certificate "C=PT, postalCode=1649-004, ST=Lisboa, L=Lisboa, STREET=Alameda da Universidade, STR>
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG]   using untrusted intermediate certificate "C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4"
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG] checking certificate status of "C=PT, postalCode=1649-004, ST=Lisboa, L=Lisboa, STREET=Alameda da Univer>
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG]   requesting ocsp status from 'http://GEANT.ocsp.sectigo.com' ...
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG]   ocsp response correctly signed by "C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4"
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG]   ocsp response is valid: until Mar 30 20:31:34 2021
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG] certificate status is good
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG] no issuer certificate found for "C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4"
mar 24 12:12:19 localhost.localdomain NetworkManager[977]: <warn>  [1616587939.7494] vpn-connection[0x560215c26140,83606a02-7fa7-49b7-8cef-3ebd27c45c52,"VPN 1",0]: VPN>
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[CFG]   issuer is "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification>
mar 24 12:12:19 localhost.localdomain NetworkManager[977]: <warn>  [1616587939.7496] vpn-connection[0x560215c26140,83606a02-7fa7-49b7-8cef-3ebd27c45c52,"VPN 1",0]: VPN>
mar 24 12:12:19 localhost.localdomain charon-nm[4346]: 16[IKE] no trusted RSA public key found for 'vpn.ciencias.ulisboa.pt'
mar 24 12:12:19 localhost.localdomain NetworkManager[977]: <info>  [1616587939.7496] vpn-connection[0x560215c26140,83606a02-7fa7-49b7-8cef-3ebd27c45c52,"VPN 1",0]: VPN>

I am currently using strongswan with the following commands to install it:

dnf install NetworkManager-strongswan-gnome.x86_64 NetworkManager-strongswan.x86_64 strongswan-charon-nm.x86_64 strongswan.x86_64

What should I do? I do have both certificates in “.cer” format if I do need to install it, but I was hoping it would be possible without it.

Thanks,
Miguel Santana

You should probably fetch that key and specify it in the VPN connection properties.
Alternatively, you can try to install it system-wide: Using Shared System Certificates :: Fedora Docs

1 Like

Hi, Vadislav.

Thanks for your input but I’ve tried the first one already without success. The second one, I’ve done just now, but still can’t connect.

Is there anything else I can do?

Thanks,
Miguel Santana

1 Like

Hi,

is sudo journalctl -u NetworkManager.service still reporting the same issue?

Thanks Tom.

1 Like

Hi, Tom.

That command reports the same when installing the certificates with the trust command. When using the certificate specified in the VPN configuration GUI, it reports “Permission failed” when opening the file.

Will it be like ssh key files, that when it is world readable, the program will refuse to use it?

Hi,

If its the public key that’s getting permission failed, try setting to 644.

Thanks Tom.

2 Likes

Hi, Tom.

I have done that for each file and the whole folder, but still getting the same error.

Hi,

Its just the public key that needed to be 644, the folder should probably be 755. What’s the other contents? If it includes a private key, that should be 640 or 644.

Also google search produced a lot a results with errors on ubuntu which mentioned app-armor. Fedora equivalent is selinux. for testing have you tried with selinux disabled or permissive.

Thanks Tom.

2 Likes

Did the problem start only with Fedora 33? It might not be relevant, but the no trusted RSA public key found makes me wonder if this issue is related to the new crypto policy in Fedora 33. Maybe see if the options and link in this post help:

3 Likes

Thanks for the input Tom.

I’ll try I out.

Regarding de SELinux, I would prefer to maintain it at the current state, as the VPN was functioning corretly before the certificate change.

Hey @fasulia.

This change of the VPN was related to a change in the certificate provider by my organization. The current certificates look like they are not recognized by the system.

Thanks

Hi,

Meant just for testing, if it is confirmed to be an issue with selinux; then there will be a fix so it works with selinux.

Have you compared the old ssl and new ssl to make sure they in the same format (e.g. pem or PKCS#7). May just be a case of using openssl to convert the public cert to an acceptable format.

Thanks Tom.

2 Likes

Hello, @tjdoyle

And you were actually right! With SELinux in permissive mode it is possible to use it without any certificate, but with SELinux in enforcing mode it is unable to connect. What can we do about it?

Thanks

# Check system journal
sudo journalctl --no-pager -g avc

# Store certs to one of those locations
sudo semanage fcontext -l | grep -e home_cert_t

# Fix file context
sudo restorecon -R /path/to/cert/dir
1 Like

I’m guessing that would be to be able to read the certificate files, right?

1 Like

Hi,

It looks like the the cert hasn’t be provided with the correct security context. The given commands should fix that.

Thanks Tom.

1 Like

Maybe that would be right, but I should be able to connect to the VPN without this key, as I normally do in other Linux distros or Windows. How is it possible to implement this key from Sertigo in future updates of the distribution?

Hi,

I’m not sure I quite understand the question, but if you are asking what do if Sertigo reissue the public cert and it hasn’t got the right security context, you will needto run the restorecon command on its directory:

Thanks Tom

2 Likes

@vgaetera @tjdoyle

I’ve run these commands

But I still get “no trusted RSA public key found for …” without the certificate and “opening ‘home/[user]/.cert/cert.pem’ failed: Permission denied”.

Nevertheless, when running the first command after trying to connect, I get this:

mar 28 18:29:09 localhost.localdomain audit[10745]: AVC avc: denied { read } for pid=10745 comm="charon-nm" name="cert.cer" dev="dm-0" ino=527457 scontext=system_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

mar 28 18:29:09 localhost.localdomain audit[10745]: AVC avc: denied { read } for pid=10745 comm="charon-nm" name="cert.cer" dev="dm-0" ino=525409 scontext=system_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Why is the name parameter in the log using the .cer extension when the file is in .pem?