search

strongswan / strongswan

strongSwan - IPsec-based VPN
https://www.strongswan.org
Other
2.3k stars 782 forks source link

strongswan scepclient error parsing distinguished name #1842

Closed thrdgeek closed 1 year ago

thrdgeek commented 1 year ago

Discussed in https://github.com/strongswan/strongswan/discussions/1827

Originally posted by **thrdgeek** August 2, 2023 I have Ubuntu Jammy with the following packages installed: libc6, debconf, build-essential, libgmp-dev, libunbound-dev, libldns-dev, libldns-dev, libcurl4-openssl-dev, libcurl4-openssl-dev, network-manager-strongswan, libunbound-dev, pwgen, libstrongswan, network-manager-strongswan, strongswan-charon, strongswan-nm, libstrongswan-extra-plugins, libstrongswan-standard-plugins, strongswan-pki, strongswan-scepclient, strongswan-starter I am attempting to enroll a client certificate with the following string: ipsec scepclient --url http://${SCEPSERVER}/CertSrv/mscep/mscep.dll \ -k 2048 -f -p ${CHALLENGE} \ --dn "C=${COUNTRY}, S=${STATE}, L=${LOCALITY}, O=${ORGANIZATION}, OU=${ORGANIZATIONALUNIT}, CN=${HOSTNAME}" \ --subjectAltName dns=${HOSTNAME} \ --in pkcs1=/etc/ipsec.d/private/privatekey.pem \ --out cert=/etc/ipsec.d/certs/$HOSTNAME.der \ --in cacert-enc=caCert-ra-1.der \ --in cacert-sig=caCert-ra-2.der \ --debug 4 The error returned is: error: parsing of distinguished name I use this same solution with Ubuntu Xenial, Bionic & Focal. I suspect there is a package missing but I can't seem to identify it.
strongX509 commented 1 year ago

The error is generated by the identification_create_from_string() function

https://github.com/strongswan/strongswan/blob/5.9.5/src/scepclient/scepclient.c#L1121

and I don't think that any Ubuntu strongSwan package is missing. Could you call scepclient with the --debug 2 option so that the actual DN being parsed is printed out?

thrdgeek commented 1 year ago

The dn printed is: dn: 'C=US, S=Michigan, L=Detroit, O={company}, OU=Ubuntu, CN=USFRYLNCNGLHP45' error: parsing of distinguished name failed

The values match the declared variables.

thrdgeek commented 1 year ago

To add, this is the same script that has worked on prior releases of Ubuntu.

strongX509 commented 1 year ago

Problem detected :-) You have erroneously been using S= for State which actually up to strongSwan 5.9.2 was the identifier assigned to Surname but was changed to SN= in January 2021 with the following commit https://github.com/strongswan/strongswan/commit/d8e4a2a777e1c047f79cf5340d8339d0d980c9fc.

As a consequence strongSwan 5.9.5 used by Ubuntu Jammy is faulting on the now inexisting S= identifier.

Fix: In your script use the correct ST= identifier that has always been assigned to State.

thrdgeek commented 1 year ago

Wow, such a subtle change. Why the change, just curious? I guess I will need to build logic to detect the release and use the appropriate options. Thanks.

thrdgeek commented 1 year ago

It appears the 'SN' is supported in version 5.8.2 for Focal also.

strongX509 commented 1 year ago

Using the correct identifier ST= for State works for all strongSwan versions.

thrdgeek commented 1 year ago

Thank you. I don't know where I got the use of SN from.