On Sunday, May 10, 2020 1:32:14 PM CDT Alexander Bokovoy wrote: > On la, 09 touko 2020, Anthony Joseph Messina via FreeIPA-users wrote: > >On Saturday, May 9, 2020 3:17:25 PM CDT Anthony Joseph Messina via FreeIPA- users wrote: > >> After upgrading FreeIPA from F31 to F32, on startup I now see a lot of > >> these errors from certmonger, ns-slapd, java, etc. > >> > >> May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open > >> /run/lock/opencryptoki/LCK..APIlock May 08 17:57:30 ns-slapd[67]: > >> usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock > >> May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c > >> Could not open /run/lock/opencryptoki/LCK..APIlock May 08 17:57:42 > >> java[640]: usr/lib/api/apiutil.c Could not open > >> /run/lock/opencryptoki/LCK..APIlock > >> > >> The server seems to come up without issue, but can you point me in the > >> right direction to resolve these errors? > >> > >> freeipa-server-4.8.6-1.fc32.x86_64 > >> opendnssec-2.1.6-5.fc32.x86_64 > >> opencryptoki-3.13.0-1.fc32.x86_64 > >> > >> I've installed a fresh F32 freeipa-server (on a test domain) and I don't > >> see these errors. > > > >I've tracked this to a difference in the crypto-policies package -- the F31 > >version contains the p11-kit-proxy stuff whereas the F32 version does not. > > > ># > ># F31: /etc/crypto-policies/back-ends/nss.config > >library= > >name=Policy > >NSS=flags=policyOnly,moduleDB > >config="disallow=ALL > >allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:S > >ECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes12 > >8-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tl > >s-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA- > >MIN=2048" > > > > > >name=p11-kit-proxy > >library=p11-kit-proxy.so > > > ># > ># F32: /etc/crypto-policies/back-ends/nss.config > >library= > >name=Policy > >NSS=flags=policyOnly,moduleDB > >config="disallow=ALL > >allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:S > >ECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes12 > >8-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tl > >s-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA- > >MIN=2048" > > > >I'm not sure whether removing the p11-kit-proxy related stuff from > >/etc/crypto-policies/back-ends/nss.config is the right thing to do, but > >the errors go away after that. > > p11-kit-proxy simplifies configuration of HSM modules -- it > automatically proxies HSM modules configured in the system. > > Either through crypto-policies before F32 or with nss package in F32, > nss library configures to import HSM moduels through p11-kit proxy > automatically. In F32 nss installs > /etc/crypto-policies/local.d/nss-p11-kit.config which contains the > configuration that imports p11 kit automatically. > > Since opendnssec uses SoftHSM, SoftHSM package is installed and it is > automatically loaded into all applications using nss libraries, unless > they are specifically configured to ignore p11-kit-proxy. > > On a new install, FreeIPA creates /etc/pkcs11/modules/softhsm2.module > that disables import of SoftHSM module through p11-kit-proxy. This was > done with ticket https://pagure.io/freeipa/issue/7810 in FreeIPA 4.8.0, > about a year ago. I guess, your installation was older than F31.
Thank you Alexander for the guidance. I have removed/backed up the /etc/crypto-policies/local.d/nss-p11-kit.config and regenerated the configuration via update-crypto-policies --set on my F32 FreeIPA servers. Oddly, I did (and do) have the following file in place: # cat /etc/pkcs11/modules/softhsm2.module # created by IPA installer module: /usr/lib64/pkcs11/libsofthsm2.so disable-in: p11-kit-proxy But that didn't make a difference to the errors until I removed /etc/crypto-policies/local.d/nss-p11-kit.config -- Anthony - https://messinet.com F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org