Description of problem: OVS IPsec functionality does not work with libreswan when using self-signed certificates. When configuring OVS to use self-signed certificates for IPsec encryption, "ovs-pki" sets the CN of the cert to the name specified as part of the ovs-pki command: `ovs-pki req -u <name>`. However, when the "ovs-monitor-ipsec" daemon loads certificates and keys into libreswan, it prefixes the cert nickname with "ovs_cert" and "ovs_certkey" respectively. Which can be seen by running the command: `$ sudo certutil -d sql:/etc/ipsec.d -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ovs_certkey_host_2 u,u,u ovs_cert_host_1 P,P,P ` The causes libreswan to fail when it tries to establish a tunnel with an error of the type: pluto[1790412]: Failed to add connection "tun-1" with invalid "left" certificate pluto[1790412]: failed to find certificate named 'host_2' in the NSS database How reproducible: Always Steps to Reproduce: Follow the tutorial at https://docs.openvswitch.org/en/latest/tutorials/ipsec/ using the section "2: Using self-signed certificate:" Actual results: Traffic is not encrypted. Expected results: Traffic is encrypted.
https://patchwork.ozlabs.org/project/openvswitch/patch/20201221114225.4150401-1-mark.d.gray@redhat.com/
https://patchwork.ozlabs.org/project/openvswitch/patch/20201224125938.1485867-1-mark.d.gray@redhat.com/
openvswitch is openvswitch 2.9... changing component to openvswitch2.13 (I also checked and it's already fixed on v2.15.0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openvswitch2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2083