[Freeipa-users] Re: ca-certificate file not being parses correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
Thanks. I posted the bug report. https://pagure.io/freeipa/issue/8106 -Kevin > On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy wrote: > > On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote: >> >> >> Mainly looking for input on where to file a bug I think I found in >> p11-kit-trust.so but potentially caused by the FreeIPA client install >> process on Ubuntu. >> >> I have been trying to figure out a way of getting Ubuntu to load the >> system wide certs like CentOS/Fedora does. Alexander helped me >> troubleshoot my issues on CentOS/Fedora and those system work out of >> the box (after I fixed my mistake >> https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg07903.html). >> However, on Ubuntu you have to take it a slight step further by using >> the p11-kit-trust.so manually it seems. >> >> I found this link >> https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285 >> that has a bug report that states you can just symlink the >> p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so >> https://superuser.com/a/1312419/411058and it would “just work”. >> >> Unfortunately, I was having trouble figuring out how to get it to work. >> I spent a couple days or so troubleshooting and trying to figure out >> why it wasn’t working. Once I would do the symlink to the >> p11-kit-trust.so, no certificates _at all_ would load in any browser >> (chome/firefox). If I removed the symlink and put the libnssckbi.so >> file the browsers would go back to loading the static system wide certs >> (obviously the certs I included wouldn’t work). Eventually I ran across >> this documentation from p11-kit to find out how to debug p11-kit. >> https://p11-glue.github.io/p11-glue/trust-module.html >> >> I ran >> >> P11_KIT_DEBUG=all firefox >> >> With that log output I finally found something to point me in the >> correct direction. Based on this log it seems like p11-kit is having >> issues parsing the ca-certificates.crt file. >> >> $ P11_KIT_DEBUG=all firefox >> (p11-kit:10001) p11_library_init_impl: initializing library >> (p11-kit:10001) uninit_common: uninitializing library >> (p11-kit:10057) p11_library_init_impl: initializing library >> (p11-kit:10057) uninit_common: uninitializing library >> (p11-kit:10001) p11_library_init_impl: initializing library >> (p11-kit:10001) sys_C_Initialize: in >> (p11-kit:10001) sys_C_Initialize: doing initialization >> (p11-kit:10001) create_tokens_inlock: using paths: >> /etc/ssl/certs/ca-certificates.crt >> (p11-kit:10001) p11_token_new: token: System Trust: >> /etc/ssl/certs/ca-certificates.crt >> (p11-kit:10001) sys_C_Initialize: out: 0x0 >> (p11-kit:10001) sys_C_GetInfo: in >> (p11-kit:10001) sys_C_GetInfo: out: 0x0 >> (p11-kit:10001) sys_C_GetSlotList: in >> (p11-kit:10001) sys_C_GetSlotList: out: 0x0 >> (p11-kit:10001) sys_C_GetSlotList: in >> (p11-kit:10001) sys_C_GetSlotList: out: 0x0 >> (p11-kit:10001) sys_C_GetSlotInfo: in >> (p11-kit:10001) sys_C_GetSlotInfo: out: 0x0 >> (p11-kit:10001) sys_C_GetTokenInfo: in >> (p11-kit:10001) sys_C_GetTokenInfo: out: 0x0 >> (p11-kit:10001) sys_C_GetMechanismList: in >> (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 >> (p11-kit:10001) sys_C_GetMechanismList: in >> (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 >> (p11-kit:10001) sys_C_OpenSession: in >> (p11-kit:10001) sys_C_OpenSession: session: 17 >> (p11-kit:10001) sys_C_OpenSession: out: 0x0 >> (p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS = >> CKO_NSS_BUILTIN_ROOT_LIST } ] >> (p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before >> p11-kit section header >> (p11-kit:10001) loader_load_file: failed to parse: >> /etc/ssl/certs/ca-certificates.crt >> (p11-kit:10001) sys_C_FindObjectsInit: out: 0x0 >> (p11-kit:10001) sys_C_FindObjects: in: 17, 1 >> (p11-kit:10001) sys_C_FindObjects: out: 0x11, 1 >> (p11-kit:10001) sys_C_FindObjectsFinal: in >> (p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0 >> >> >> I looked at the ca-certificates.crt file >> >> Nothing looked abnormal until I saw this… >> >> previous part of ca-certificates.crt >> >> >> # This file was created by IPA. Do not edit. >> >> [p11-kit-object-v1] >> class: certificate >> certificate-type: x-509 >> certificate-category: authority >> label: >> subject: ": " >> issuer: ": " >> serial-number: “" >> x-public-key-info: ": " >> trusted: true >> --BEGIN CERTIFICATE-- >> ….. >> rest of ca-certificates.crt >> >> Once I removed the section above the “…BEGIN CERTIFICATE…” and after >> the prior “END CERTIFICATE“ everything started working >> properly. I put it back and things broke again. >> >> So this indicates that p11-kit-trust.so isn’t parsing the >> ca-certificate.crt file due to the information that the FreeIPA client >> install put into the file. >> >> I am using the latest version that comes with Ubuntu 18.04 of >> p11-kit-trust (0.23). >> >> So my question is, should this be a bug
[Freeipa-users] Re: ca-certificate file not being parses correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote: Mainly looking for input on where to file a bug I think I found in p11-kit-trust.so but potentially caused by the FreeIPA client install process on Ubuntu. I have been trying to figure out a way of getting Ubuntu to load the system wide certs like CentOS/Fedora does. Alexander helped me troubleshoot my issues on CentOS/Fedora and those system work out of the box (after I fixed my mistake https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg07903.html). However, on Ubuntu you have to take it a slight step further by using the p11-kit-trust.so manually it seems. I found this link https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285 that has a bug report that states you can just symlink the p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so https://superuser.com/a/1312419/411058and it would “just work”. Unfortunately, I was having trouble figuring out how to get it to work. I spent a couple days or so troubleshooting and trying to figure out why it wasn’t working. Once I would do the symlink to the p11-kit-trust.so, no certificates _at all_ would load in any browser (chome/firefox). If I removed the symlink and put the libnssckbi.so file the browsers would go back to loading the static system wide certs (obviously the certs I included wouldn’t work). Eventually I ran across this documentation from p11-kit to find out how to debug p11-kit. https://p11-glue.github.io/p11-glue/trust-module.html I ran P11_KIT_DEBUG=all firefox With that log output I finally found something to point me in the correct direction. Based on this log it seems like p11-kit is having issues parsing the ca-certificates.crt file. $ P11_KIT_DEBUG=all firefox (p11-kit:10001) p11_library_init_impl: initializing library (p11-kit:10001) uninit_common: uninitializing library (p11-kit:10057) p11_library_init_impl: initializing library (p11-kit:10057) uninit_common: uninitializing library (p11-kit:10001) p11_library_init_impl: initializing library (p11-kit:10001) sys_C_Initialize: in (p11-kit:10001) sys_C_Initialize: doing initialization (p11-kit:10001) create_tokens_inlock: using paths: /etc/ssl/certs/ca-certificates.crt (p11-kit:10001) p11_token_new: token: System Trust: /etc/ssl/certs/ca-certificates.crt (p11-kit:10001) sys_C_Initialize: out: 0x0 (p11-kit:10001) sys_C_GetInfo: in (p11-kit:10001) sys_C_GetInfo: out: 0x0 (p11-kit:10001) sys_C_GetSlotList: in (p11-kit:10001) sys_C_GetSlotList: out: 0x0 (p11-kit:10001) sys_C_GetSlotList: in (p11-kit:10001) sys_C_GetSlotList: out: 0x0 (p11-kit:10001) sys_C_GetSlotInfo: in (p11-kit:10001) sys_C_GetSlotInfo: out: 0x0 (p11-kit:10001) sys_C_GetTokenInfo: in (p11-kit:10001) sys_C_GetTokenInfo: out: 0x0 (p11-kit:10001) sys_C_GetMechanismList: in (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 (p11-kit:10001) sys_C_GetMechanismList: in (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 (p11-kit:10001) sys_C_OpenSession: in (p11-kit:10001) sys_C_OpenSession: session: 17 (p11-kit:10001) sys_C_OpenSession: out: 0x0 (p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS = CKO_NSS_BUILTIN_ROOT_LIST } ] (p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header (p11-kit:10001) loader_load_file: failed to parse: /etc/ssl/certs/ca-certificates.crt (p11-kit:10001) sys_C_FindObjectsInit: out: 0x0 (p11-kit:10001) sys_C_FindObjects: in: 17, 1 (p11-kit:10001) sys_C_FindObjects: out: 0x11, 1 (p11-kit:10001) sys_C_FindObjectsFinal: in (p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0 I looked at the ca-certificates.crt file Nothing looked abnormal until I saw this… previous part of ca-certificates.crt # This file was created by IPA. Do not edit. [p11-kit-object-v1] class: certificate certificate-type: x-509 certificate-category: authority label: subject: ": " issuer: ": " serial-number: “" x-public-key-info: ": " trusted: true --BEGIN CERTIFICATE-- ….. rest of ca-certificates.crt Once I removed the section above the “…BEGIN CERTIFICATE…” and after the prior “END CERTIFICATE“ everything started working properly. I put it back and things broke again. So this indicates that p11-kit-trust.so isn’t parsing the ca-certificate.crt file due to the information that the FreeIPA client install put into the file. I am using the latest version that comes with Ubuntu 18.04 of p11-kit-trust (0.23). So my question is, should this be a bug report to Ubuntu’s implementation of the FreeIPA client install that adds the certificate information or should I file a bug report against the p11-kit module to have them fix the parsing issue? Any thoughts/suggestions? ca-certificates(8) in Debian does not support p11-kit format. However, Debian adaptation of FreeIPA does not override insert_ca_certs_into_systemwide_ca_store() method and thus a default one is used. It is a bug in FreeIPA, please open an issue for FreeIPA. -- /