Re: Iked, ca_getreq: no valid local certificate found

Thu, 05 Nov 2015 10:05:32 -0800 

This got me past that error pretty handidly.

However, now it is complaining about no index.txt. The path given
doesn't help me know where to put the index.txt

Getting Private key
Using configuration from /etc/ssl/ikeca.cnf
index.txt: No such file or directory
unable to open 'index.txt'
250120122244:error:02001002:system library:fopen:No such file or
directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt',
'r')
250120122244:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:

On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter <r...@openbsd.org> wrote:
> Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf
>
> The openssl.cnf version broke and we somehow didn't install ikeca.cnf by 
> default.
>
> Reyk
>
>> On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote:
>>
>> Ho misc@,
>>
>> I have been (loosely) following the guide at
>> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
>> a roadblock.
>>
>> I have packets going between my two hosts on different networks, the
>> configuration files on both are good, and both have the ca installed.
>>
>> However on my remote host, I get (ips and hostnames redacted):
>> Nov  5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
>> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
>> Nov  5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
>> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
>> bytes
>> Nov  5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
>> certificate found
>>
>> This is coupled with, as I create the ca key...
>> # ikectl ca vpn1 create
>> CA passphrase:
>> Retype CA passphrase:
>> [stuff-happens-and-inputs]
>> Getting Private key
>> Using configuration from /etc/ssl/openssl.cnf
>> variable lookup failed for ca::default_ca
>> 24387713617796:error:0E06D06C:configuration file
>> routines:NCONF_get_string:no
>> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
>> name=default_ca
>>
>> I've checked the mail logs for misc@ and found a person in August with
>> this problem, http://marc.info/?l=openbsd-misc&m=133675466519976&w=2
>>
>> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
>> Variable lookup still failed.
>>
>> Thank you for any help.

Reply via email to