[Freeipa-users] Re: ca-certificate file not being parses correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
Thanks.
I posted the bug report.
https://pagure.io/freeipa/issue/8106
-Kevin
> On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy wrote:
>
> On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote:
>>
>>
>> Mainly looking for input on where to file a bug I think I found in
>> p11-kit-trust.so but potentially caused by the FreeIPA client install
>> process on Ubuntu.
>>
>> I have been trying to figure out a way of getting Ubuntu to load the
>> system wide certs like CentOS/Fedora does. Alexander helped me
>> troubleshoot my issues on CentOS/Fedora and those system work out of
>> the box (after I fixed my mistake
>> https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg07903.html).
>> However, on Ubuntu you have to take it a slight step further by using
>> the p11-kit-trust.so manually it seems.
>>
>> I found this link
>> https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285
>> that has a bug report that states you can just symlink the
>> p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>> https://superuser.com/a/1312419/411058and it would “just work”.
>>
>> Unfortunately, I was having trouble figuring out how to get it to work.
>> I spent a couple days or so troubleshooting and trying to figure out
>> why it wasn’t working. Once I would do the symlink to the
>> p11-kit-trust.so, no certificates _at all_ would load in any browser
>> (chome/firefox). If I removed the symlink and put the libnssckbi.so
>> file the browsers would go back to loading the static system wide certs
>> (obviously the certs I included wouldn’t work). Eventually I ran across
>> this documentation from p11-kit to find out how to debug p11-kit.
>> https://p11-glue.github.io/p11-glue/trust-module.html
>>
>> I ran
>>
>> P11_KIT_DEBUG=all firefox
>>
>> With that log output I finally found something to point me in the
>> correct direction. Based on this log it seems like p11-kit is having
>> issues parsing the ca-certificates.crt file.
>>
>> $ P11_KIT_DEBUG=all firefox
>> (p11-kit:10001) p11_library_init_impl: initializing library
>> (p11-kit:10001) uninit_common: uninitializing library
>> (p11-kit:10057) p11_library_init_impl: initializing library
>> (p11-kit:10057) uninit_common: uninitializing library
>> (p11-kit:10001) p11_library_init_impl: initializing library
>> (p11-kit:10001) sys_C_Initialize: in
>> (p11-kit:10001) sys_C_Initialize: doing initialization
>> (p11-kit:10001) create_tokens_inlock: using paths:
>> /etc/ssl/certs/ca-certificates.crt
>> (p11-kit:10001) p11_token_new: token: System Trust:
>> /etc/ssl/certs/ca-certificates.crt
>> (p11-kit:10001) sys_C_Initialize: out: 0x0
>> (p11-kit:10001) sys_C_GetInfo: in
>> (p11-kit:10001) sys_C_GetInfo: out: 0x0
>> (p11-kit:10001) sys_C_GetSlotList: in
>> (p11-kit:10001) sys_C_GetSlotList: out: 0x0
>> (p11-kit:10001) sys_C_GetSlotList: in
>> (p11-kit:10001) sys_C_GetSlotList: out: 0x0
>> (p11-kit:10001) sys_C_GetSlotInfo: in
>> (p11-kit:10001) sys_C_GetSlotInfo: out: 0x0
>> (p11-kit:10001) sys_C_GetTokenInfo: in
>> (p11-kit:10001) sys_C_GetTokenInfo: out: 0x0
>> (p11-kit:10001) sys_C_GetMechanismList: in
>> (p11-kit:10001) sys_C_GetMechanismList: out: 0x0
>> (p11-kit:10001) sys_C_GetMechanismList: in
>> (p11-kit:10001) sys_C_GetMechanismList: out: 0x0
>> (p11-kit:10001) sys_C_OpenSession: in
>> (p11-kit:10001) sys_C_OpenSession: session: 17
>> (p11-kit:10001) sys_C_OpenSession: out: 0x0
>> (p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS =
>> CKO_NSS_BUILTIN_ROOT_LIST } ]
>> (p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before
>> p11-kit section header
>> (p11-kit:10001) loader_load_file: failed to parse:
>> /etc/ssl/certs/ca-certificates.crt
>> (p11-kit:10001) sys_C_FindObjectsInit: out: 0x0
>> (p11-kit:10001) sys_C_FindObjects: in: 17, 1
>> (p11-kit:10001) sys_C_FindObjects: out: 0x11, 1
>> (p11-kit:10001) sys_C_FindObjectsFinal: in
>> (p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0
>>
>>
>> I looked at the ca-certificates.crt file
>>
>> Nothing looked abnormal until I saw this…
>>
>> previous part of ca-certificates.crt
>>
>>
>> # This file was created by IPA. Do not edit.
>>
>> [p11-kit-object-v1]
>> class: certificate
>> certificate-type: x-509
>> certificate-category: authority
>> label:
>> subject: ": "
>> issuer: ": "
>> serial-number: “"
>> x-public-key-info: ": "
>> trusted: true
>> --BEGIN CERTIFICATE--
>> …..
>> rest of ca-certificates.crt
>>
>> Once I removed the section above the “…BEGIN CERTIFICATE…” and after
>> the prior “END CERTIFICATE“ everything started working
>> properly. I put it back and things broke again.
>>
>> So this indicates that p11-kit-trust.so isn’t parsing the
>> ca-certificate.crt file due to the information that the FreeIPA client
>> install put into the file.
>>
>> I am using the latest version that comes with Ubuntu 18.04 of
>> p11-kit-trust (0.23).
>>
>> So my question is, should this be a bug
[Freeipa-users] Re: ca-certificate file not being parses correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote:
Mainly looking for input on where to file a bug I think I found in
p11-kit-trust.so but potentially caused by the FreeIPA client install
process on Ubuntu.
I have been trying to figure out a way of getting Ubuntu to load the
system wide certs like CentOS/Fedora does. Alexander helped me
troubleshoot my issues on CentOS/Fedora and those system work out of
the box (after I fixed my mistake
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg07903.html).
However, on Ubuntu you have to take it a slight step further by using
the p11-kit-trust.so manually it seems.
I found this link
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285
that has a bug report that states you can just symlink the
p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
https://superuser.com/a/1312419/411058and it would “just work”.
Unfortunately, I was having trouble figuring out how to get it to work.
I spent a couple days or so troubleshooting and trying to figure out
why it wasn’t working. Once I would do the symlink to the
p11-kit-trust.so, no certificates _at all_ would load in any browser
(chome/firefox). If I removed the symlink and put the libnssckbi.so
file the browsers would go back to loading the static system wide certs
(obviously the certs I included wouldn’t work). Eventually I ran across
this documentation from p11-kit to find out how to debug p11-kit.
https://p11-glue.github.io/p11-glue/trust-module.html
I ran
P11_KIT_DEBUG=all firefox
With that log output I finally found something to point me in the
correct direction. Based on this log it seems like p11-kit is having
issues parsing the ca-certificates.crt file.
$ P11_KIT_DEBUG=all firefox
(p11-kit:10001) p11_library_init_impl: initializing library
(p11-kit:10001) uninit_common: uninitializing library
(p11-kit:10057) p11_library_init_impl: initializing library
(p11-kit:10057) uninit_common: uninitializing library
(p11-kit:10001) p11_library_init_impl: initializing library
(p11-kit:10001) sys_C_Initialize: in
(p11-kit:10001) sys_C_Initialize: doing initialization
(p11-kit:10001) create_tokens_inlock: using paths:
/etc/ssl/certs/ca-certificates.crt
(p11-kit:10001) p11_token_new: token: System Trust:
/etc/ssl/certs/ca-certificates.crt
(p11-kit:10001) sys_C_Initialize: out: 0x0
(p11-kit:10001) sys_C_GetInfo: in
(p11-kit:10001) sys_C_GetInfo: out: 0x0
(p11-kit:10001) sys_C_GetSlotList: in
(p11-kit:10001) sys_C_GetSlotList: out: 0x0
(p11-kit:10001) sys_C_GetSlotList: in
(p11-kit:10001) sys_C_GetSlotList: out: 0x0
(p11-kit:10001) sys_C_GetSlotInfo: in
(p11-kit:10001) sys_C_GetSlotInfo: out: 0x0
(p11-kit:10001) sys_C_GetTokenInfo: in
(p11-kit:10001) sys_C_GetTokenInfo: out: 0x0
(p11-kit:10001) sys_C_GetMechanismList: in
(p11-kit:10001) sys_C_GetMechanismList: out: 0x0
(p11-kit:10001) sys_C_GetMechanismList: in
(p11-kit:10001) sys_C_GetMechanismList: out: 0x0
(p11-kit:10001) sys_C_OpenSession: in
(p11-kit:10001) sys_C_OpenSession: session: 17
(p11-kit:10001) sys_C_OpenSession: out: 0x0
(p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS =
CKO_NSS_BUILTIN_ROOT_LIST } ]
(p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before
p11-kit section header
(p11-kit:10001) loader_load_file: failed to parse:
/etc/ssl/certs/ca-certificates.crt
(p11-kit:10001) sys_C_FindObjectsInit: out: 0x0
(p11-kit:10001) sys_C_FindObjects: in: 17, 1
(p11-kit:10001) sys_C_FindObjects: out: 0x11, 1
(p11-kit:10001) sys_C_FindObjectsFinal: in
(p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0
I looked at the ca-certificates.crt file
Nothing looked abnormal until I saw this…
previous part of ca-certificates.crt
# This file was created by IPA. Do not edit.
[p11-kit-object-v1]
class: certificate
certificate-type: x-509
certificate-category: authority
label:
subject: ": "
issuer: ": "
serial-number: “"
x-public-key-info: ": "
trusted: true
--BEGIN CERTIFICATE--
…..
rest of ca-certificates.crt
Once I removed the section above the “…BEGIN CERTIFICATE…” and after
the prior “END CERTIFICATE“ everything started working
properly. I put it back and things broke again.
So this indicates that p11-kit-trust.so isn’t parsing the
ca-certificate.crt file due to the information that the FreeIPA client
install put into the file.
I am using the latest version that comes with Ubuntu 18.04 of
p11-kit-trust (0.23).
So my question is, should this be a bug report to Ubuntu’s
implementation of the FreeIPA client install that adds the certificate
information or should I file a bug report against the p11-kit module to
have them fix the parsing issue?
Any thoughts/suggestions?
ca-certificates(8) in Debian does not support p11-kit format.
However, Debian adaptation of FreeIPA does not override
insert_ca_certs_into_systemwide_ca_store() method and thus a default one
is used. It is a bug in FreeIPA, please open an issue for FreeIPA.
--
/
