Mainly looking for input on where to file a bug I think I found in p11-kit-trust.so but potentially caused by the FreeIPA client install process on Ubuntu. I have been trying to figure out a way of getting Ubuntu to load the system wide certs like CentOS/Fedora does. Alexander helped me troubleshoot my issues on CentOS/Fedora and those system work out of the box (after I fixed my mistake https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg07903.html). However, on Ubuntu you have to take it a slight step further by using the p11-kit-trust.so manually it seems. I found this link https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285 that has a bug report that states you can just symlink the p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so https://superuser.com/a/1312419/411058and it would “just work”. Unfortunately, I was having trouble figuring out how to get it to work. I spent a couple days or so troubleshooting and trying to figure out why it wasn’t working. Once I would do the symlink to the p11-kit-trust.so, no certificates _at all_ would load in any browser (chome/firefox). If I removed the symlink and put the libnssckbi.so file the browsers would go back to loading the static system wide certs (obviously the certs I included wouldn’t work). Eventually I ran across this documentation from p11-kit to find out how to debug p11-kit. https://p11-glue.github.io/p11-glue/trust-module.html I ran P11_KIT_DEBUG=all firefox With that log output I finally found something to point me in the correct direction. Based on this log it seems like p11-kit is having issues parsing the ca-certificates.crt file. $ P11_KIT_DEBUG=all firefox (p11-kit:10001) p11_library_init_impl: initializing library (p11-kit:10001) uninit_common: uninitializing library (p11-kit:10057) p11_library_init_impl: initializing library (p11-kit:10057) uninit_common: uninitializing library (p11-kit:10001) p11_library_init_impl: initializing library (p11-kit:10001) sys_C_Initialize: in (p11-kit:10001) sys_C_Initialize: doing initialization (p11-kit:10001) create_tokens_inlock: using paths: /etc/ssl/certs/ca-certificates.crt (p11-kit:10001) p11_token_new: token: System Trust: /etc/ssl/certs/ca-certificates.crt (p11-kit:10001) sys_C_Initialize: out: 0x0 (p11-kit:10001) sys_C_GetInfo: in (p11-kit:10001) sys_C_GetInfo: out: 0x0 (p11-kit:10001) sys_C_GetSlotList: in (p11-kit:10001) sys_C_GetSlotList: out: 0x0 (p11-kit:10001) sys_C_GetSlotList: in (p11-kit:10001) sys_C_GetSlotList: out: 0x0 (p11-kit:10001) sys_C_GetSlotInfo: in (p11-kit:10001) sys_C_GetSlotInfo: out: 0x0 (p11-kit:10001) sys_C_GetTokenInfo: in (p11-kit:10001) sys_C_GetTokenInfo: out: 0x0 (p11-kit:10001) sys_C_GetMechanismList: in (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 (p11-kit:10001) sys_C_GetMechanismList: in (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 (p11-kit:10001) sys_C_OpenSession: in (p11-kit:10001) sys_C_OpenSession: session: 17 (p11-kit:10001) sys_C_OpenSession: out: 0x0 (p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS = CKO_NSS_BUILTIN_ROOT_LIST } ] (p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header (p11-kit:10001) loader_load_file: failed to parse: /etc/ssl/certs/ca-certificates.crt (p11-kit:10001) sys_C_FindObjectsInit: out: 0x0 (p11-kit:10001) sys_C_FindObjects: in: 17, 1 (p11-kit:10001) sys_C_FindObjects: out: 0x11, 1 (p11-kit:10001) sys_C_FindObjectsFinal: in (p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0 I looked at the ca-certificates.crt file Nothing looked abnormal until I saw this… ----previous part of ca-certificates.crt---- # This file was created by IPA. Do not edit. [p11-kit-object-v1] class: certificate certificate-type: x-509 certificate-category: authority label: <removed> subject: ": <removed>" issuer: ": <removed>" serial-number: “<removed>" x-public-key-info: ": <removed>" trusted: true ------BEGIN CERTIFICATE------ ….. ----rest of ca-certificates.crt ---- Once I removed the section above the “…BEGIN CERTIFICATE…” and after the prior “----END CERTIFICATE----“ everything started working properly. I put it back and things broke again.
So this indicates that p11-kit-trust.so isn’t parsing the ca-certificate.crt file due to the information that the FreeIPA client install put into the file. I am using the latest version that comes with Ubuntu 18.04 of p11-kit-trust (0.23). So my question is, should this be a bug report to Ubuntu’s implementation of the FreeIPA client install that adds the certificate information or should I file a bug report against the p11-kit module to have them fix the parsing issue? Any thoughts/suggestions? -Kevin
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
