IPsec tunnel cannot be established using libreswan due to a rejected certificate
Issue
- The certificate is valid, and has been issued by a trusted Root CA.
- The trust chain in the
NSS
database is complete, and valid. -
The certificate fails verification with log messages similar to the following:
16:52:31.757757 hostname pluto[XXXX]: "peer-hostname" #1: ERROR: Certificate type not approved for application. 16:52:31.757935 hostname pluto[XXXX]: "peer-hostname" #1: X509: Certificate rejected for this connection 16:52:31.758118 hostname pluto[XXXX]: "peer-hostname" #1: X509: CERT payload bogus or revoked 16:52:31.758296 hostname pluto[XXXX]: "peer-hostname" #1: sending encrypted notification INVALID_ID_INFORMATION to 203.0.113.122:500
Environment
- Red Hat Enterprise Linux 7
libreswan
,nss
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.