Has anyone already figured out how to, or know whether it's possible to, get iked working with letsencrypt certs? (Or indeed any CA with chain certs?)
Use case: "standard" clients (Windows/iOS/StrongSwan), EAP auth, not particularly technical users so trying to avoid the need for them to manually install certs. Most of it should be straightforward (at least for FQDN), the server cert has SAN, I think the main issue seems to be due to the chain cert. If I place only the "CN=Let's Encrypt Authority X3" in iked/ca/ca.crt iked doesn't startup properly ("unable to get issuer certificate" for my own cert and "unable to get local issuer certificate" for the LE CA). If I place only the "DST Root CA X3" in ca.crt I get "did not find subjectAltName" and "no valid local certificate found". If I place both ca and chain certs in ca.crt it looks like it starts up ok: ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /O=Digital Signature Trust Co./CN=DST Root CA X3 ca_reload: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ca_reload: loaded 2 ca certificates ca_reload: loaded cert file blahblahblah.com.crt but then actually connecting fails (at least from strongswan, I need to dig out the other test devices again..).