StrongSwan IPSec VPN - IKEv2 - LetsEncrypt 证书问题(构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器)
我按照下面的链接使用 Strongswan 设置 IKEv2 VPN,并在 CentOS 7 上加密。
如何使用 Strongswan 设置 IKEv2 VPN,并在 CentOS 7 上加密
但该链接上的信息已被废弃。
我的让我们加密命令是这样的:
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --register-account -m [email protected]
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
or
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone --force
sudo yum -y install psmisc
sudo fuser 80/tcp
sudo yum -y install lsof
sudo lsof -i tcp:80
service httpd stop
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
Your cert is in: /root/.acme.sh/my_domain.com/my_domain.com.cer
Your cert key is in: /root/.acme.sh/my_domain.com/my_domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my_domain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/my_domain.com/fullchain.cer
~/.acme.sh/acme.sh --installcert -d my_domain.com --key-file /root/private.key --fullchain-file /root/cert.crt
service httpd start
service httpd status
执行这些命令后,我的 centos 7 vps 上有 4 个文件。
my_domain.com.cer
my_domain.com.key
ca.cer
fullchain.cer
首先我真的不知道应该将哪个文件放在 certs 文件夹中以及应该将哪个文件放在 cacerts 文件夹中以及应该将哪个文件放在 private 文件夹中。
我刚刚做了这个:
sudo cp /root/.acme.sh/my_domain.com/fullchain.cer /etc/strongswan/ipsec.d/certs/
sudo cp /root/.acme.sh/my_domain.com/ca.cer /etc/strongswan/ipsec.d/cacerts/
sudo cp /root/.acme.sh/my_domain.com/my_domain.com.key /etc/strongswan/ipsec.d/private/
sudo cp /root/cert.crt /etc/strongswan/ipsec.d/cacerts/
sudo tree /etc/strongswan/ipsec.d/
我是否将这些文件放在正确的文件夹中?
现在让我们看看 StrongSwan 配置:
nano -K /etc/strongswan/ipsec.conf
#global configuration IPsec
#chron logger
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
#define new ipsec connection
conn hakase-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@my_domain.com
leftcert=fullchain.cer
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.15.1.0/24
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity
这是秘密文件:
nano -K /etc/strongswan/ipsec.secrets
: RSA "my_doman.com.key"
temp : EAP "123"
这是运行后的 StrongSwan 状态:
[root@art_300 ~]# systemctl status strongswan -l
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2024-01-14 21:17:03 +0330; 11s ago
Main PID: 2056 (starter)
CGroup: /system.slice/strongswan.service
├─2056 /usr/libexec/strongswan/starter --daemon charon --nofork
└─2098 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0
Jan 14 21:17:03 art_300.buzz systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz strongswan[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.105.1.el7.x86_64, x86_64)
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] openssl FIPS mode(2) - enabled
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[JOB] spawning 16 worker threads
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: charon (2098) started after 60 ms
Jan 14 21:17:03 art_300.buzz strongswan[2056]: charon (2098) started after 60 ms
如您所知,该链接已被删除且已过时。
现在告诉我我做错了什么以及如何解决:
构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器
显然,随着 SSL 的最新发展,丢弃了像烫手山芋一样易受攻击的算法,您的私钥可能根本不是 RSA 密钥。 尝试使用以下 OpenSSL 命令验证它
openssl rsa -in <yourprivkey>.pem
如果你会收到类似的错误
Not an RSA key
那么您对 Let's Encrypt 就不那么幸运了,我建议您按照此说明设置 StrongSwan 如何在 Ubuntu 上使用 IKEv2 设置 StrongSwan 服务器。按照这篇文档,我在几个小时前就让 AlmaLinux9/ARM 与 MacOS 客户端一起工作了。现在我要打开 OpenSSL 上的旧加密策略,并使用 Let's Encrypt 再次尝试,但我对结果并不太乐观。