Bug 1216564

Summary: Missing directory /usr/share/ca-certificates for charon
Product: [openSUSE] openSUSE Distribution Reporter: Rodrigo Gonçalves <keitarobr>
Component: NetworkAssignee: Mohd Saquib <mohd.saquib>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: bojan+suse, keitarobr
Version: Leap 15.5Flags: mohd.saquib: needinfo? (keitarobr)
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Leap 15.5   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Rodrigo Gonçalves 2023-10-25 13:23:14 UTC 
charon-nm is looking for certificates at /usr/share-ca-certificates, but this directory does not exist. 

Thus it can't validate a valid certificate for an IPSec/IKEv2 VPN server (does not find the GlobalSign root certificates).

I solved the issue issuing the following command:

sudo ln -s /var/lib/ca-certificates/pem /usr/share/ca-certificates
Comment 1 Chenzi Cao 2023-11-29 03:45:38 UTC 
Hi Bjørn, would you please help to take a look at this issue? I'm not sure whether it is correct to assign it to you, please feel free to reassign whenever necessary, thanks.
Comment 2 Bjørn Lie 2023-11-29 11:12:50 UTC 
(In reply to Chenzi Cao from comment #1)
> Hi Bjørn, would you please help to take a look at this issue? I'm not sure
> whether it is correct to assign it to you, please feel free to reassign
> whenever necessary, thanks.

Fairly sure this comes from Strongswan-nm

-> moving to Strongswan bugowner
Comment 3 Mohd Saquib 2023-12-13 07:39:51 UTC 
Hi,
Could you please provide a reproducer for this? I will try to reproduce it locally
Comment 4 Mohd Saquib 2024-01-04 08:10:12 UTC 
ping
Comment 5 Rodrigo Gonçalves 2024-01-04 11:01:24 UTC 
Hi, since this is a VPN server we can't provide a test login due to our policies.

I'm going to setup a test server using a similar certificate for testing purposes in the next two weeks. Is there a way to send the information privately?
Comment 6 Mohd Saquib 2024-01-04 11:14:57 UTC 
You can email it to me at my work email, I suppose
Comment 7 Mohd Saquib 2024-01-30 08:50:30 UTC 
Hi,
Any progress on recreating the setup?
Comment 8 Mohd Saquib 2024-02-19 09:50:23 UTC 
I'm assuming this bug is not an issue anymore? Please let me know if it's still the case. I'll go ahead and close it if there's no response in a few days time.
Comment 9 Rodrigo Gonçalves 2024-02-19 17:56:09 UTC 
(In reply to Mohd Saquib from comment #8)
> I'm assuming this bug is not an issue anymore? Please let me know if it's
> still the case. I'll go ahead and close it if there's no response in a few
> days time.

Dear Modh Saquib,

sorry for the late response. I couldn't allocate the resources for a test server. 

Thus you can close this bug if you can't reproduce and we will keep instructing our users to do the manual fix we mentioned.
Comment 10 Mohd Saquib 2024-02-20 06:52:32 UTC 
Thanks.. I'll close it for now.
Comment 11 B Nikolic 2024-07-04 12:27:10 UTC 
I came across this bug using MircoOS. 

The issue is that strongswan  has a configure option --with-nm-ca-dir (see documentation https://docs.strongswan.org/docs/5.9/features/networkManager.html) which, if not otherwise set, defaults to /usr/share-ca-certificates which seems not to be the right place for SUSE.

Should be fixable by adding 

--with-nm-ca-dir=/var/lib/ca-certificates/pem

to the configure section of strongswan.spec , e.g. somewhere around line 306 of  https://build.opensuse.org/projects/openSUSE:Leap:15.5:Update/packages/strongswan/files/strongswan.spec?expand=1. 

I hope that helps, I don't have a test server or anything to try this but analysis of source code suggests this is the root cause.