From b9dfa6923118ef7e04d94fe206919834c90915dd Mon Sep 17 00:00:00 2001
From: aleks-mariusz <a+git-commit@alek.cx>
Date: Mon, 6 Apr 2020 14:30:20 +0000
Subject: [PATCH] relax CA constraints for client (the client equivalent of PR
 #1675)

---
 roles/client/files/libstrongswan-relax-constraints.conf | 5 +++++
 roles/client/tasks/main.yml                             | 8 ++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 roles/client/files/libstrongswan-relax-constraints.conf

diff --git a/roles/client/files/libstrongswan-relax-constraints.conf b/roles/client/files/libstrongswan-relax-constraints.conf
new file mode 100644
index 0000000..26dc19a
--- /dev/null
+++ b/roles/client/files/libstrongswan-relax-constraints.conf
@@ -0,0 +1,5 @@
+libstrongswan {
+  x509 {
+    enforce_critical = no
+  }
+}
diff --git a/roles/client/tasks/main.yml b/roles/client/tasks/main.yml
index a2be955..0678c49 100644
--- a/roles/client/tasks/main.yml
+++ b/roles/client/tasks/main.yml
@@ -53,6 +53,14 @@
   notify:
     - restart strongswan
 
+- name: Configure libstrongswan to relax CA constraints
+  copy:
+    src: libstrongswan-relax-constraints.conf
+    dest: /etc/strongswan/strongswan.d/relax-ca-constraints.conf
+    owner: root
+    group: root
+    mode: 0644
+
 - name: Setup the certificates and keys
   template:
     src: "{{ item.src }}"