Strongswan OCSP and CRL check are failing... "no capable fetcher found"

[belerofon]

Hi all

i have the following Situation:
- Setting up an IPSec with X509 Cert
- IPSec working and is up but in logs I can see CRL and OCSP Check are failing due to "no capable fetcher found"
- CURL to OCSP and CRL from Opnsense working correctly

from Strongswan Logs:

Code: [Select]

<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="215"] 09[CFG] <5> selected peer config "con3"
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="216"] 09[CFG] <con3|5>   using certificate "C=DE, ST=BW, xxxxx"
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="217"] 09[CFG] <con3|5>   using trusted intermediate ca certificate "C=DE, ST=BW, xxxxx"
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="218"] 09[CFG] <con3|5>   using trusted ca certificate "C=DE, ST=BW, xxxxx"
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="219"] 09[CFG] <con3|5>   reached self-signed root ca with a path length of 1
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="220"] 09[CFG] <con3|5> checking certificate status of "C=DE, ST=BW, xxxxx"
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="221"] 09[CFG] <con3|5>   requesting ocsp status from 'http://xxxxx:8080' ...
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="222"] 09[LIB] <con3|5> unable to fetch from http://xxxxx:8080, no capable fetcher found
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="223"] 09[CFG] <con3|5> ocsp request to http://xxxxx:8080 failed
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="224"] 09[CFG] <con3|5> ocsp check failed, fallback to crl
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="225"] 09[CFG] <con3|5>   fetching crl from 'http://xxxxx/intermediate.crl.pem' ...
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="226"] 09[LIB] <con3|5> unable to fetch from http://xxxxx/intermediate.crl.pem, no capable fetcher found
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="227"] 09[CFG] <con3|5> crl fetching failed
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="228"] 09[CFG] <con3|5> certificate status is not available
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="229"] 09[CFG] <con3|5> checking certificate status of "C=DE, ST=BW, xxxxx"
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="230"] 09[CFG] <con3|5>   fetching crl from 'http://xxxxx/ca.crl.pem' ...
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="231"] 09[LIB] <con3|5> unable to fetch from http://xxxxx/ca.crl.pem, no capable fetcher found
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="232"] 09[CFG] <con3|5> crl fetching failed
<30>1 2023-05-03T11:07:27+02:00 pve-fwxxxxx charon 91423 - [meta sequenceId="233"] 09[CFG] <con3|5> certificate status is not available


what i also have seen from swanctl --stats or ipsec statusall I can see that following modules are loaded:

Code: [Select]

loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters


Here I missed the curl module from strongswan-mod-curl.


Is anyone aware of this Issue? Maybe any developer around