IPsec tunnel cannot be established using libreswan due to a rejected certificate

Solution Verified - Updated -

Issue

  • The certificate is valid, and has been issued by a trusted Root CA.
  • The trust chain in the NSS database is complete, and valid.

  • The certificate fails verification with log messages similar to the following:

    16:52:31.757757 hostname pluto[XXXX]: "peer-hostname" #1: ERROR: Certificate type not approved for application.
16:52:31.757935 hostname pluto[XXXX]: "peer-hostname" #1: X509: Certificate rejected for this connection
16:52:31.758118 hostname pluto[XXXX]: "peer-hostname" #1: X509: CERT payload bogus or revoked
16:52:31.758296 hostname pluto[XXXX]: "peer-hostname" #1: sending encrypted notification INVALID_ID_INFORMATION to 203.0.113.122:500

Environment

  • Red Hat Enterprise Linux 7
  • libreswan, nss

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content