On 2021-10-06 12:22 p.m., Simon Deziel wrote:
On 2021-10-06 12:08 p.m., Philip Veale wrote:
I hadn't tried that, but tried, didn't change anything. I noticed things
specifically related to StrongSWAN aren't working since the update to
Bullseye and swanctl is not a recognised command. StrongSWAN is installed
via apt, version 5.9.1-1

swanctl doesn't exist as a command and there is no service called
strongswan anymore. I'm not sure how weird that is.

swanctl lives in a different package. The strongswan unit got renamed to strongswan-starter.

Just been trawling more logs and spotted something else which should be a
massive clue;

Oct  6 16:43:55 VPN-Server charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Oct  6 16:43:55 VPN-Server charon: 00[LIB]   opening
'/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed: Permission
denied
Oct  6 16:43:55 VPN-Server charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
failed, tried 11 builders
Oct  6 16:43:55 VPN-Server charon: 00[CFG]   loading private key from
'/etc/letsencrypt/live/vpn.my-hostname/privkey.pem' failed


So yeah it looks like it's a simple permissions issue, I'm guessing the
dist upgrade has changed the user the service runs as and that uid doesn't
have read access to the privkey. I should have thought of that. For some
reason I thought it just ran as root.

Oh..so no, it does run as root, but It's AppArmor, interfering with Charon
apparently - the PEM files are created by certbot with symlinks (from
'live' to 'archive') as it rotates through and creates new ones, keeping
the old, the newest versions are always symlinked.

Debian Stretch didn't have AppArmor but it's been enabled by default in
Debian since Buster. So yeah, the dist-upgrade kinda broke things.

Thanks to Simon Deziel in this old thread from years ago;
https://lists.strongswan.org/pipermail/users/2017-February/010537.html


I've not quite yet figured out how I want to fix it (there are a few
options) but at least I know why it does not work.


At first glance, I'd add "#include <abstractions/ssl_keys>" to charon's profile. Would you mind testing this for me (as root):

Oops, here's the corrected version:

cat < EOF >> /etc/apparmor.d/local/usr.lib.ipsec.charon
#include <abstractions/ssl_keys>
EOF
apparmor_parser -rTW /etc/apparmor.d/usr.lib.ipsec.charon
systemctl restart strongswan-starter

Simon

Reply via email to