StrongSwan IPSec VPN - IKEv2 - LetsEncrypt 证书问题(构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器)

StrongSwan IPSec VPN - IKEv2 - LetsEncrypt 证书问题(构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器)

StrongSwan IPSec VPN - IKEv2 - LetsEncrypt 证书问题(构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器)

我按照下面的链接在 CentOS 7 上使用 Strongswan 和 Let's encrypt 设置 IKEv2 VPN。
如何在 CentOS 7 上使用 Strongswan 和 Let's encrypt 设置 IKEv2 VPN
但该链接上的信息已被弃用。
我的 Let's encrypt 命令如下:

curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --register-account -m [email protected]
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
or
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone --force
sudo yum -y install psmisc
sudo fuser 80/tcp
sudo yum -y install lsof
sudo lsof -i tcp:80
service httpd stop
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
Your cert is in: /root/.acme.sh/my_domain.com/my_domain.com.cer
Your cert key is in: /root/.acme.sh/my_domain.com/my_domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my_domain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/my_domain.com/fullchain.cer
~/.acme.sh/acme.sh --installcert -d my_domain.com --key-file /root/private.key --fullchain-file /root/cert.crt
service httpd start
service httpd status

执行这些命令之后,我的 centos 7 vps 上有 4 个文件。

my_domain.com.cer  
my_domain.com.key   
ca.cer   
fullchain.cer

首先我真的不知道应该放哪个文件证书文件夹以及我应该把哪个文件放在证书文件夹以及我应该把哪个文件放在私人的文件夹。
我刚刚做了这个:

sudo cp /root/.acme.sh/my_domain.com/fullchain.cer /etc/strongswan/ipsec.d/certs/

sudo cp /root/.acme.sh/my_domain.com/ca.cer /etc/strongswan/ipsec.d/cacerts/

sudo cp /root/.acme.sh/my_domain.com/my_domain.com.key /etc/strongswan/ipsec.d/private/

sudo cp /root/cert.crt /etc/strongswan/ipsec.d/cacerts/

sudo tree /etc/strongswan/ipsec.d/

我是否将这些文件放在了正确的文件夹中?

现在让我们看看 StrongSwan 配置:

nano -K /etc/strongswan/ipsec.conf

#global configuration IPsec
#chron logger
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

#define new ipsec connection
conn hakase-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@my_domain.com
    leftcert=fullchain.cer
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.15.1.0/24
    rightdns=1.1.1.1,8.8.8.8
    rightsendcert=never
    eap_identity=%identity

这是秘密文件:

nano -K /etc/strongswan/ipsec.secrets

: RSA "my_doman.com.key"
temp : EAP "123"

以下是 StrongSwan 运行后的状态:

[root@art_300 ~]# systemctl status strongswan -l
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2024-01-14 21:17:03 +0330; 11s ago
 Main PID: 2056 (starter)
   CGroup: /system.slice/strongswan.service
           ├─2056 /usr/libexec/strongswan/starter --daemon charon --nofork
           └─2098 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

Jan 14 21:17:03 art_300.buzz systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz strongswan[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.105.1.el7.x86_64, x86_64)
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] openssl FIPS mode(2) - enabled
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[JOB] spawning 16 worker threads
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: charon (2098) started after 60 ms
Jan 14 21:17:03 art_300.buzz strongswan[2056]: charon (2098) started after 60 ms

如您所知,该链接已被弃用且已过时。
现在告诉我我做错了什么以及如何修复:

构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器

相关内容